b' DEPARTMENT OF HOMELAND SECURITY\n        Office of Inspector General\n\n\n       Information Technology Management \n\n              Letter for the FY 2007 \n\n          Customs Border and Protection \n\n            Financial Statement Audit \n\n                    (Redacted) \n\n\n\n\n\n   Notice: The Department of Homeland Security, Office of Inspector General has redacted\n   the report for public release. A review under the Freedom of Information Act will be\n   conducted upon request.\n\n\n\n\nOIG-08-50                                                      May 2008\n\x0c                                                                        Office of Inspector General\n\n                                                                        U.S. Department of\n                                                                        Homeland Security\n                                                                        Washington, DC 20528\n\n\n\n\n                                      May 6, 2008\n\n                                      Preface\n\nThe Department of Homeland Security (DHS) Office of Inspector General (OIG) was\nestablished by the Homeland Security Act of 2002 (Public Law 107-296) by amendment to\nthe Inspector General Act of 1978. This is one of a series of audit, inspection, and special\nreports prepared as part of our oversight responsibilities to promote economy, efficiency, and\neffectiveness within the department.\n\nThis report presents the information technology (IT) management letter for Customs and\nBorder Protection\xe2\x80\x99s (CBP) financial statement audit as of September 30, 2007. It contains\nobservations and recommendations related to information technology internal control that\nwere not required to be reported in the financial statement audit report (OIG-08-12,\nNovember 2007) and represents the separate restricted distribution report mentioned in that\nreport. The independent accounting firm KPMG LLP (KPMG) performed the audit of CBP\xe2\x80\x99s\nFY 2007 financial statements and prepared this IT management letter. KPMG is responsible\nfor the attached IT management letter dated December 14, 2007, and the conclusions\nexpressed in it. We do not express opinions on DHS\xe2\x80\x99 financial statements or internal control\nor conclusion on compliance with laws and regulations.\n\nThe recommendations herein have been developed to the best knowledge available to our\noffice, and have been discussed in draft with those responsible for implementation. It is our\nhope that this report will result in more effective, efficient, and economical operations. We\nexpress our appreciation to all of those who contributed to the preparation of this report\n\n\n\n\n                                      Richard L. Skinner \n\n                                      Inspector General \n\n\x0c\x0c\x0c                               US Customs and Border Protection\n                            Information Technology Management Letter\n                                       September 30, 2007\n\n\n\n\n               INFORMATION TECHNOLOGY MANAGEMENT LETTER \n\n\n                                   TABLE OF CONTENTS\n\n                                                                                              Page\n\n\nObjective, Scope and Approach                                                                  1\n\n\nSummary of Findings and Recommendations                                                        2\n\n\nIT General Controls Findings by Audit Area                                                     3\n\n\n       Entity-Wide Security Program Planning and Management                                    3\n\n\n       Access Controls                                                                         4\n\n\n       Application Software Development and Change Controls                                    7\n\n\n       System Software                                                                         8\n\n\n       Service Continuity                                                                      9      \n\n\nApplication Control Findings                                                                   10 \n\n\n                                         APPENDICES \n\n\nAppendix                                       Subject                                        Page\n\n\n           Description of Key Financial Systems and IT Infrastructure within the Scope of \n\nA\t                                                                                             11\n           the FY 2007 CBP Financial Statement Audit\n\nB\t         FY 2007 Notices of IT Findings and Recommendations                                  13 \n\n\n           Status of Prior Year Notices of Findings and Recommendations and Comparison \n\nC\t                                                                                             25\n           to Current Year Notices of Findings and Recommendations\n\n\nD\t         Management\xe2\x80\x99s Response to the Draft CBP IT Management Letter                         36 \n\n\x0c                                US Customs and Border Protection\n                             Information Technology Management Letter\n                                        September 30, 2007\n\n\n\n                             OBJECTIVE, SCOPE AND APPROACH \n\n\nWe have audited the consolidated balance sheets of the U.S. Department of Homeland Security\xe2\x80\x99s\nBureau of Customs and Border Protection (CBP) as of September 30, 2007 and 2006, and the related\nconsolidated statements of net cost, changes in net position, custodial activity and the combined\nstatement of budgetary resources for the years then ended. The overall objective of our audit was to\nevaluate the effectiveness of IT general controls of CBP\xe2\x80\x99s financial processing environment and\nrelated IT infrastructure as necessary to support the engagement. The Federal Information System\nControls Audit Manual (FISCAM), issued by the Government Accountability Office, formed the basis\nof our audit. The scope of the IT general controls assessment included testing at CBP\xe2\x80\x99s Office of\nInformation Technology (OIT) and other offices related to the IT general controls portion of the\nfinancial statement audit.\n\nFISCAM was designed to inform financial auditors about IT controls and related audit concerns to\nassist them in planning their audit work and to integrate the work of auditors with other aspects of the\nfinancial audit. FISCAM also provides guidance to IT auditors when considering the scope and extent\nof review that generally should be performed when evaluating general controls and the IT environment\nof a federal agency. FISCAM defines the following six control functions to be essential to the\neffective operation of the general IT controls environment.\n\n\xe2\x80\xa2\t Entity-wide security program planning and management (EWS) \xe2\x80\x93 Controls that provide a\n   framework and continuing cycle of activity for managing risk, developing security policies,\n   assigning responsibilities, and monitoring the adequacy of computer-related security controls.\n\xe2\x80\xa2\t Access control (AC) \xe2\x80\x93 Controls that limit and/or monitor access to computer resources (data,\n   programs, equipment, and facilities) to protect against unauthorized modification, loss, and\n   disclosure.\n\xe2\x80\xa2\t Application software development and change control (ASDCC) \xe2\x80\x93 Controls that help to prevent the\n   implementation of unauthorized programs or modifications to existing programs.\n\xe2\x80\xa2\t System software (SS) \xe2\x80\x93 Controls that limit and monitor access to powerful programs that operate\n   computer hardware.\n\xe2\x80\xa2\t Segregation of duties (SD) \xe2\x80\x93 Controls that constitute policies, procedures, and an organizational\n   structure to prevent one individual from controlling key aspects of computer-related operations,\n   thus deterring unauthorized actions or access to assets or records.\n\xe2\x80\xa2\t Service continuity (SC) \xe2\x80\x93 Controls that involve procedures for continuing critical operations\n   without interruption, or with prompt resumption, when unexpected events occur.\n\nTo complement our general IT controls audit, we also performed technical security testing for key\nnetwork and system devices, as well as testing of key financial application controls. The technical\nsecurity testing was performed both over the Internet and from within select CBP facilities, and\nfocused on test, development, and production devices that directly support CBP financial processing\nand key general support systems.\n\nIn addition to testing CBP\xe2\x80\x99s general control environment, we performed application control tests on a\nlimited number of CBP financial systems and applications. The application control testing was\nperformed to assess the controls that support the financial systems\xe2\x80\x99 internal controls over the input,\nprocessing, and output of financial data and transactions.\n\n\n\n\n                                           1\n Information Technology Management Letter for the FY 2007 CBP Financial Statement Audit\n\x0c                                US Customs and Border Protection\n                             Information Technology Management Letter\n                                        September 30, 2007\n\n\n\xe2\x80\xa2\t Application Controls (APC) - Application controls are the structure, policies, and procedures that\n   apply to separate, individual application systems, such as accounts payable, inventory, payroll,\n   grants, or loans.\n\n\n                   SUMMARY OF FINDINGS AND RECOMMENDATIONS\n\nDuring fiscal year (FY) 2007, CBP took corrective action to address prior year IT control weaknesses.\nFor example, CBP made improvements in its certification and accreditation program, specially related\nto its Administrative Applications and                                                            Also,\nissues with access controls related to the Systems, Applications and Products (SAP) system were\naddressed. However, during FY 2007, we continued to identify IT general control weaknesses at\nCBP. The most significant weaknesses from a financial statement audit perspective related to controls\nover access to programs and data and controls over program changes. Collectively, the IT control\nweaknesses limited CBP\xe2\x80\x99s ability to ensure that critical financial and operational data were maintained\nin such a manner to ensure confidentiality, integrity, and availability. In addition, these weaknesses\nnegatively impacted the internal controls over CBP financial reporting and its operation and we\nconsider them to collectively represent a material weakness for CBP under standards established by\nthe American Institute of Certified Public Accountants (AICPA). The information technology\nfindings were combined into one material weakness regarding Information Technology for the FY\n2007 audit of the CBP consolidated financial statements.\n\nAlthough we noted improvement, many of the conditions identified at CBP in FY 2006 have not been\ncorrected because CBP still faces challenges related to the merging of numerous IT functions,\ncontrols, processes, and organizational resource shortages. During FY 2007, CBP took steps to\naddress these conditions. Despite these improvements, CBP needs further emphasis on the monitoring\nand enforcement of access controls as well as implementing and enforcing the CBP-wide security\ncertification and accreditation (C&A) program. Many of the issues identified during our review,\nwhich were also identified during FY 2006 and prior can be addressed through a more consistent and\neffective security C&A program and security training program.\n\nWhile the recommendations made by KPMG should be considered by CBP, it is the ultimate\nresponsibility of CBP management to determine the most appropriate method(s) for addressing the\nweaknesses identified based on their system capabilities and available resources.\n\n\n\n\n                                           2\n\n Information Technology Management Letter for the FY 2007 CBP Financial Statement Audit\n\x0c                                  US Customs and Border Protection\n                               Information Technology Management Letter\n                                          September 30, 2007\n\n\n                          IT GENERAL CONTROL FINDINGS BY AREA\n\n\nEntity-Wide Security Program Planning and Management\n\nDuring FY 2007, CBP improved its level of entity-wide security program planning and management.\nHowever, continued efforts are needed, especially in the areas of program management related to the\ndetection and monitoring of technical information security weaknesses. As identified in prior year\nissues reported in FY 2003, FY 2004, FY 2005 and FY 2006, we noted that improvements are still\nneeded in CBP\xe2\x80\x99s Incident Handling and Response Capability which may potentially limit CBP\xe2\x80\x99s\nability to respond to incidents in an appropriate manner. Collectively, the identified entity-wide\nsecurity planning and management issues, coupled with the access control issues described later in this\nmanagement letter, reduce the overall effectiveness of the entity-wide security programs for CBP.\n\n1     Conditions noted regarding entity-wide security program planning and management were the\n      following:\n\n      \xe2\x80\xa2\t                        will not be installed on all workstations for the majority of the fiscal\n         year.\n      \xe2\x80\xa2\t A complete listing of workstations is not maintained by System Security. System Security\n         does not have the ability to quickly compile a listing of all workstations under CBP\xe2\x80\x99s\n         ownership.\n      \xe2\x80\xa2 The completion of security awareness training is not appropriately tracked at CBP.\n      \xe2\x80\xa2\t The following documents did not have proper documented approval and/or approval dates:\n         - SDLC Configuration Management Plan\n\n\n           -\t Production Management Team Procedures\n\n      \xe2\x80\xa2\t The                       process has several weaknesses. KPMG\n\n\n                                                                                         Consequently,\n         KPMG was not able to determine whether the reviews of specific\n         of roles were performed at these ports/headquarters. The                                is not\n         consistently executed at the various ports. Appropriate documentation is not maintained for all\n         recertifications.\n      \xe2\x80\xa2\t Virus protection is not installed on all CBP workstations.\n      \xe2\x80\xa2\t The               did not have an Information Systems Security Officer (ISSO), but had been\n         assigned an interim ISSO. This interim ISSO was not formally documented as the\n         ISSO.\n\nRecommendations:\n1.\t We recommend that the CBP CIO, in coordination with the CFO and other CBP functional leaders\n    consider the following actions:\n\n      \xe2\x80\xa2\t                  should be installed on all workstations under CBP control.\n      \xe2\x80\xa2\t The use of local workgroups should be eliminated. All CBP workstations should be included\n         in a CBP administered domain. A   \t lso, the CBP CIO should compile and regularly maintain a\n                                                     3\n    Information Technology Management Letter for the FY 2007 CBP Financial Statement Audit\n\x0c                                US Customs and Border Protection\n                             Information Technology Management Letter\n                                        September 30, 2007\n\n\n        full and accurate listing of CBP workstations and use this list to monitor and maintain patch\n        levels for all CBP workstations.\n   \xe2\x80\xa2\t   Security awareness training should be completed in a timely manner by all employees with\n        access to CBP information systems. CBP should continue to work towards implementing\n        online training for all personnel to facilitate automated tracking of the completion of security\n        awareness training.\n   \xe2\x80\xa2\t   Procedures should be implemented and enforced in OIT divisions to perform a review of all\n        documentation to update, consolidate and approve the documented procedures in use by\n        operational personnel.\n   \xe2\x80\xa2    Procedures should be applied as outlined in the newly distributed memorandum from Office of\n        Field Operations dated April 27, 2007 while consistently documenting results of\n        recertifications at the port level and maintaining said documentation.\n   \xe2\x80\xa2\t    Since the initial testing was performed, CBP has begun immediate remediation. CBP should\n        continue remediation to ensure that antivirus protection is installed on all workstations under\n        the control of CBP.\n   \xe2\x80\xa2\t   The appointment of the                    Interim ISSO should be documented with a formal\n        designation letter. Ultimately, a full time ISSO for the                should be appointed and\n        documented with a formal designation letter.\n\nAccess Controls\n\nAccess to programs and controls over data should provide reasonable assurance that computer\nresources such as data files, application programs, and computer-related facilities and equipment are\nprotected against unauthorized modification, disclosure, loss, or impairment. Physically securing\naccess includes keeping computers in locked rooms to limit physical access. Logical controls, such as\nsecurity software programs, are designed to prevent or detect unauthorized access to sensitive files.\nInadequate access controls diminish the reliability of data and increase the risk of unauthorized data\nmodification, malicious or unintentional destruction of data, or inappropriate disclosure of\ninformation.\nDuring FY 2007, CBP improved in the area of access to programs and data, specifically regarding\n     . However, KPMG also identified additional issues. We noted significant access control\nvulnerabilities                                                                These are significant\nissues as personnel inside the organization who best understand the organization\xe2\x80\x99s systems,\napplications, and business processes have the ability to knowingly, or unknowingly, exploit these\nspecific systems, applications, and powerful system utilities. Some of the vulnerable devices\nidentified were used for                              . In some cases, users were able to access\n                          with group passwords, system default passwords, or the same passwords\nwith which they logged                            As a result, unauthorized users could maliciously\ntarget                               to obtain information                                to attempt\nfurther access into CBP\xe2\x80\x99s                          .\n\n2.\t Conditions noted regarding access controls were the following:\n   \xe2\x80\xa2\t A full listing of trade partners was never compiled to assess the full scope of the status of\n      connections to       . KPMG noted that a complete and accurate listing is still not maintained.\n      Of those connections that have been accounted for, KPMG noted that only 7% of identified\n      legacy connections had an interconnection security agreement (ISA) that has not expired.\n      KPMG does note that a virtual private network (VPN) solution is being phased in and legacy\n      connections are being phased out and that significant progress is being made to move all\n\n                                           4\n\n Information Technology Management Letter for the FY 2007 CBP Financial Statement Audit\n\x0c                                US Customs and Border Protection\n                             Information Technology Management Letter\n                                        September 30, 2007\n\n\n       existing trade partners to the new VPN solution, in which they will obtain an ISA documenting\n       the connection.\n  \xe2\x80\xa2\t   A centralized listing of contract personnel is not maintained, including employment status.\n       The only method CBP employs to track terminated contractors is the use of a report of users\n       that had their mainframe accounts deleted. KPMG cannot acknowledge this list as\n       representative of all terminated contractors, since terminated contract personnel may not have\n       mainframe access or their access may not have been removed after their termination.\n  \xe2\x80\xa2\t   Password parameters do not meet CBP or DHS policy.\n  \xe2\x80\xa2\t   CBP policy is inconsistent with DHS policy. CBP\xe2\x80\x99s policy stated that sessions should\n       automatically disconnect after 30 minutes of inactivity, which is not consistent with DHS\n       policy. Also, CBP\xe2\x80\x99s policy stated that the workstation should log off from all connections\n       after 5 minutes of inactivity. According to applicable guidance, all system connections do not\n       need to be terminated after 5 minutes of inactivity on the workstation. CBP workstations\n       could not enforce the activation of a password-protected screensaver after five minutes of\n       inactivity. The settings could be disabled or changed by individual users.\n  \xe2\x80\xa2\t   A solution has not been implemented to maintain                       audit logs for an appropriate\n       period of time. Audit logs are not being reviewed for security violations for the               .\n  \xe2\x80\xa2\t   System accounts on the                 are given to users so they may perform their duties at CBP.\n       When a user has not used the account for a specified period of time as noted in issued policies,\n       that account should be disabled automatically by the system. During the course of FY 2007,\n       this control was not adequately implemented.\n  \xe2\x80\xa2\t   Deficiencies regarding control over physical data center access resulting from inadequate\n       recertification performed for physical access to the data center.\n  \xe2\x80\xa2\t   Audit logs of powerful                 system utilities are not maintained. KPMG reviewed the\n       existence of               logs for a selection of dates and noted that logs were not available for\n       several of the selected dates. KPMG noted that within a 90-day window, complete logs were\n       available for all selected dates except one. For the year-long window, 17 summary reports\n       were unavailable.\n  \xe2\x80\xa2\t         is currently configured to disable accounts after 90 days of inactivity. KPMG also noted\n       that the job is configured to run weekly, which does not comply with the requirement for\n       automatic disabling of accounts after 30 days of inactivity.\n  \xe2\x80\xa2\t         has been adjusted to limit active emergency access to 24 hours after the request. KPMG\n       notes, however, that the emergency table is still being used and that administrator or\n       supervisory approval is not required each time emergency access is activated once an\n       individual has been added to this emergency access table.\n  \xe2\x80\xa2\t   There are currently no procedures in place for the completion of semi-annual recertifications of\n                     accounts. KPMG also noted that a recertification of                    accounts is not\n       performed on a semi-annual basis.\n  \xe2\x80\xa2\t   Several access control weaknesses for the VPN solution were found.\n  \xe2\x80\xa2\t   The log indicating changes to a user\xe2\x80\x99s access in                       is not regularly reviewed by\n       personnel independent from those individuals that made the changes.\n  \xe2\x80\xa2\t   Evidence of the review of                security violation logs for 6 of 25 dates was not available\n       for review.\n  \xe2\x80\xa2\t   Authorizations are not being maintained for personnel that have administrator access to Top\n       Secret in the             environment.\n  \xe2\x80\xa2\t   Access control policies and procedures have not been formally documented for the                   .\n       KPMG also noted that access authorization forms were not completed for 27 out of 45\n       accounts created in FY 2007.\n\n\n                                          5\nInformation Technology Management Letter for the FY 2007 CBP Financial Statement Audit\n\x0c                                US Customs and Border Protection\n                             Information Technology Management Letter\n                                        September 30, 2007\n\n\n   \xe2\x80\xa2\t Procedures have been developed and a new termination form (CF-241) has been developed for\n      use in terminating employees. However, these procedures were not implemented during the\n      majority of the fiscal year.\n   \xe2\x80\xa2\t Multiple terminated employees retained active accounts on the      . They were disabled as a\n      result of accounts being inactive for 90 days. Therefore, these accounts were active 90 days\n      after the employee terminated from CBP.\n   \xe2\x80\xa2\t Configuration management exceptions were identified on CBP domain controllers and hosts\n      supporting the                 .\n   \xe2\x80\xa2\t Patch management exceptions were identified on CBP domain controllers and hosts supporting\n      the                  .\nRecommendations:\n2.\t We recommend that the CBP CIO, in coordination with the CFO and other CBP functional leaders\n    consider the following actions:\n   \xe2\x80\xa2\t CBP should identify all connections in place with the            and account for each connection\n      with a documented ISA.\n   \xe2\x80\xa2\t CBP should continue to work towards implementation of a contractor employee tracking\n      system. Deactivation of all systems access of terminated contractors should occur immediately\n      upon separation from CBP. A listing of terminated contract personnel should be periodically\n      distributed to information system administrators so they remove user access and periodically\n      assess contractor access to CBP systems.\n   \xe2\x80\xa2\t Configuration of          password policies should reflect those set forth in CBP and DHS\n      guidance. Also, configuration of                 password policies should reflect those set forth in\n      CBP and DHS guidance.\n   \xe2\x80\xa2\t CBP\xe2\x80\x99s automatic session disconnection policy should be modified to be consistent with DHS\n      policy. CBP\xe2\x80\x99s policy should be modified to reflect that only the password-protected\n      screensaver must be activated after 5 minutes of inactivity. CBP should continue deployment\n      of Active Directory and Windows 2003 in order to establish and maintain group policy and\n      enforce password-protected screensaver settings on the workstations.\n   \xe2\x80\xa2\t CBP should configure the                      to maintain audit logs and track security events\n      according to CBP and DHS policies.                    audit logs should be reviewed on a regular\n      basis, according to CBP and DHS policy, to detect potential security events.\n   \xe2\x80\xa2\t              Administrators should implement a control to automatically disable or remove\n      accounts after thirty days of inactivity in the system.\n   \xe2\x80\xa2\t CBP should continue to work towards improving the recertification process followed for\n      reviewing access to the data center. An access request form should be required before access\n      is granted to the data center, as stated in CBP policies and procedures. Terminated employees\xe2\x80\x99\n      access should be removed immediately upon termination of the employee.\n   \xe2\x80\xa2\t Complete and accurate records should be maintained of                    logs in accordance with\n      CBP document retention policy. The                       logs should be reviewed regularly for\n      suspicious activity in accordance with CBP policy.\n   \xe2\x80\xa2\t The configuration for         should be modified to disable accounts after 30 days of inactivity.\n      The job schedule for the deactivation procedure should be modified to execute on a daily basis\n      to minimize the time difference between the inactivity period and deactivation time.\n   \xe2\x80\xa2\t Supervisory approval should be required each time a user requires activation of emergency\n      access abilities on the      . Regular recertifications of the emergency access table should be\n      performed to ensure persons with the capability to request emergency access need to remain on\n      the emergency access table.\n   \xe2\x80\xa2\t Formal procedures should be developed outlining guidance for recertifying \n\n                                                    6\n\n Information Technology Management Letter for the FY 2007 CBP Financial Statement Audit\n\x0c                                US Customs and Border Protection\n                             Information Technology Management Letter\n                                        September 30, 2007\n\n\n        accounts and access to shared data. Regular recertifications of             accounts and access\n        to shared data should be performed as required by the developed procedures.\n   \xe2\x80\xa2\t   The VPN servers should be configured to store information about the creation dates and\n        activity of users in order to be able to properly identify inactive accounts and allow for their\n        deletion. The recertification process should be automated in order to remove the need for after\n        the fact recertification via methods not documented in recertification procedures (email,\n        verbal, etc.). The process of deactivating accounts at the end of the recertification period\n        should be improved to ensure that all accounts that should be removed from the system are\n        removed.\n   \xe2\x80\xa2\t   Procedures should be formalized for reviewing access change logs. The review of these logs\n        should be implemented on a periodic basis as set forth in CBP procedures.\n   \xe2\x80\xa2\t   A periodic review of access violation logs should be performed for all systems.\n   \xe2\x80\xa2\t   Procedures should be developed and implemented to restrict access to\n        administrative capabilities. Documented and approved authorization requests should be\n        required for each person needing access to the mainframe administrative capabilities.\n   \xe2\x80\xa2\t   Access control policies and procedures should be developed and implemented for the\n              . Documented and approved authorization requests should be required for each person\n        needing access to the             .\n   \xe2\x80\xa2\t   The recently developed procedures for completion of the employee termination forms should\n        be implemented. System Security should be notified of all terminating employees so that\n        systems access can be removed appropriately and timely.\n   \xe2\x80\xa2\t   CBP should work to coordinate notices of termination of employees in a timely manner so that\n        accounts can be deactivated immediately upon the departure of the employee.\n   \xe2\x80\xa2\t   Corrective actions should be implemented to ensure that information systems that support the\n                           and other financial systems are configured to the security requirements\n        outlined in DHS policy. Configurations that should be addressed include, but are not limited\n        to: stronger password configurations, restrictions on access granted to ports on servers and\n        audit log generation and maintenance.\n   \xe2\x80\xa2\t   Corrective actions should be completed surrounding the vulnerabilities identified and\n        implement policies and procedures to ensure that the information systems that support and\n        maintain CBP financial data are secured with the most up to date and tested patches provided\n        by vendors. Patches that have been validated as appropriate for CBP information systems\n        should be applied to these systems to address the conditions noted.\n\nApplication Software Development and Change Controls\n\nDuring FY 2007, we noted that CBP took corrective actions to address and close most prior year\nfindings related to program changes. However, we identified additional findings related to program\nchanges during our FY 2007 test work.\n\n3. Conditions noted regarding program changes at CBP were the following:\n   \xe2\x80\xa2\t Developers can overwrite existing code in the development environment. The developer is\n      able to extract the code from the development environment and place it into a personal folder\n      on the user\xe2\x80\x99s personal computer. If multiple users are modifying a program in their own\n      personal folders they may be overwriting existing changes.\n   \xe2\x80\xa2\t Controls over changes to the                 environment need improvement.\n      \xe2\x88\x92\t 3 out of 5 selected                            did not have post-implementation executive\n          approval as required by the new OIT emergency change procedures.\n\n                                           7\n Information Technology Management Letter for the FY 2007 CBP Financial Statement Audit\n\x0c                                US Customs and Border Protection\n                             Information Technology Management Letter\n                                        September 30, 2007\n\n\n      \xe2\x88\x92 3 of the 15 selected changes to       did not have formally documented test plans or test\n         results.\n      \xe2\x88\x92 None of the changes to      showed evidence of review of the test results documented.\n   \xe2\x80\xa2\t Controls over changes to the                 need improvement.\n      \xe2\x88\x92 9 of the 20 changes to     did not have formal test plans or documented results.\n      \xe2\x88\x92 None of the changes to      showed evidence of review of the documented test results.\n\nRecommendations:\n3.\t We recommend that the CBP CIO, in coordination with the CFO and other CBP functional leaders\n    consider the following actions:\n   \xe2\x80\xa2\t Procedures should be implemented which prevent the overwriting of development code in the\n      development environment.\n   \xe2\x80\xa2\t Emergency change management post-implementation procedures should be constantly applied\n      to all                                Furthermore, regular review of post-implementation\n      procedures should occur. Regular feedback should be provided to change administrators to\n      determine if any post-implementation steps may have been missed due to the expeditious\n      nature of emergency changes.\n   \xe2\x80\xa2\t CBP management OIT Change Control Board (CCB) and                        should ensure that all\n      program offices appropriately document all test data, transactions, and program change results\n      to monitor the quality of program changes.\n\nSystem Software\n\nDuring FY 2007, we noted that CBP took corrective actions to address and close one prior year\nfinding related to system software. However, we identified additional findings related to system\nsoftware during our FY 2007 test work.\n\n4. Conditions noted regarding system software at CBP were the following:\n    \xe2\x80\xa2\t Reviews of powerful system utilities are not conducted. While procedures are now in place\n       for review of these logs, these procedures were not in place for the majority of the fiscal year.\n\nRecommendations:\n4.\t We recommend that the CBP CIO, in coordination with the CFO and other CBP functional leaders\n    consider the following actions:\n    \xe2\x80\xa2\t Policies and procedures that have been developed for monitoring and reviewing logs of\n       powerful           system utilities for suspicious activity should be fully implemented.\n\n\n\nService Continuity\n\nDuring FY 2007, we noted that CBP took corrective actions to address and close all prior year findings\nrelated to service continuity. However, we identified additional findings related to service continuity\nduring our FY 2007 test work.\n\n5. Conditions noted regarding service continuity at CBP were the following:\n\n                                           8\n Information Technology Management Letter for the FY 2007 CBP Financial Statement Audit\n\x0c                               US Customs and Border Protection\n                            Information Technology Management Letter\n                                       September 30, 2007\n\n\n   \xe2\x80\xa2\t Backup tapes did not have external labels affixed in order to indicate the sensitivity of the data\n      contained in the tapes. Instead, containers in which the tapes are stored are labeled with media\n      labels. Currently, CBP has obtained a waiver which relieves the responsibility to label media\n      directly. However, because CBP is not in compliance with DHS policy, despite obtaining a\n      waiver, the risk of CBP non-compliance still remains. If backup tapes were removed from the\n      common container, there is still no indication of the sensitivity of the data on the tapes.\n   \xe2\x80\xa2\t Tape withdrawal requests were not documented.\n\nRecommendations:\n5.\t We recommend that the CBP CIO, in coordination with the CFO and other CBP functional leaders\n    consider the following actions:\n   \xe2\x80\xa2\t A method for labeling tapes should be developed that will not interfere with the tape library\n      hardware.\n   \xe2\x80\xa2\t Tape withdrawal requests should be monitored and logged to ensure that the withdrawal\n      protocols are being appropriately followed.\n\n\n\n\n                                           9\n\n Information Technology Management Letter for the FY 2007 CBP Financial Statement Audit\n\x0c                                US Customs and Border Protection\n                             Information Technology Management Letter\n                                        September 30, 2007\n\n\n                              APPLICATION CONTROL FINDINGS \n\nDuring FY 2007, KPMG noted that a weakness in the drawback controls continues to exist within the\n             . Specifically,      does not support the tracking of drawback items to the line item level.\nRather,        only tracks drawbacks on a summary level. This control weakness was identified in FYs\n2003, 2004, 2005, and 2006. This control weakness was presented to CBP management by the KPMG\nfinancial statement team as significant control weaknesses and also noted by the KPMG IT team.\nAlso, due to the design of      , certain controls can be overridden without supervisory approval. For\nexample, when a CBP entry specialist attempts to liquidate an import entry in              , the system\ndisplays a warning message, indicating that a drawback claim had been filed against the import entry.\nHowever, entry specialists could override the warning message without supervisory review and\nprocess a refund without investigating pending drawback claims. The purpose of this warning\nmessage is to ensure that both a refund and drawback are not paid on the same goods. Entry\nspecialists could override system edits designed to detect refunds exceeding the total duty, tax, and\nfees paid on an import entry.       does not currently generate override reports for supervisory review.\nIn FY 2007, KPMG noted that there has been little change in the status of this finding. CBP is\ndeveloping a control override report which will record all control overrides that have taken place for a\nperiod of time. Management stated that          will not be implemented in FY 2007. KPMG concluded\nthat a control mechanism to prevent overrides by specialists without supervisory approval would be an\nappropriate technical safeguard under application controls. Therefore, CBP should develop and\nimplement a management review process of a control override report to facilitate independent review\nof any control overrides that take place. Ultimately, CBP should implement the appropriate controls\nin       so that supervisory approval is required before a control override can occur.\n\n\n\n\n                                          10 \n\n Information Technology Management Letter for the FY 2007 CBP Financial Statement Audit\n\x0c                                US Customs and Border Protection\n                             Information Technology Management Letter\n                                        September 30, 2007\n\n\n                   MANAGEMENT COMMENTS AND OIG EVALUATION \n\n\nWe obtained written comments on a draft of this report from the CBP CIO. Generally, the CBP CIO\nagreed with all of the report\xe2\x80\x99s findings and recommendations. We have incorporated the comments\nwhere appropriate and included a copy of the comments in their entirety at Appendix D.\n\n\nIn his response, the CBP CIO stated that CBP is:\n        \xe2\x80\xa2\t Taking steps to ensure that entity-wide security program planning and management\n           controls are in place to establish a framework and continuing cycle of activity to manage\n           security risk;\n        \xe2\x80\xa2\t Working to ensure that the assignment of sensitive functions is legitimate, that the\n           weaknesses that can lead to a control override in certain systems is mitigated, and that\n           physical and electronic access to sensitive CBP systems is secured and carefully\n           monitored;\n        \xe2\x80\xa2\t Continuing to develop applicable policies and procedures to ensure that certain duties are\n           separated, as necessary and to monitor user roles and new user or access requests to\n           prevent future segregation of duty conflicts;\n        \xe2\x80\xa2\t Working to ensure that the                                Continuity of Operations Plan\n           (COOP) is as current as possible, and that the alternate processing site has the hardware\n           and support necessary to continue operations in the event of an emergency; and\n        \xe2\x80\xa2\t Ensuring that proper separation of roles between the development and production\n           environments are established.\n\nOIG Response\n\n\nWe agree with the steps that CBP is taking to satisfy these recommendations.\n\n\n\n\n                                          11 \n\n Information Technology Management Letter for the FY 2007 CBP Financial Statement Audit\n\x0c                           US Customs and Border Protection\n                        Information Technology Management Letter\n                                   September 30, 2007\n\n\n\n\n                                   APPENDIX A \n\n\n     DESCRIPTION OF KEY FINANCIAL SYSTEMS AND IT \n\n  INFRASTRUCTURE WITHIN THE SCOPE OF THE FY 2007 CBP \n\n             FINANCIAL STATEMENT AUDIT \n\n\n\n\n\n                                         12 \n\nInformation Technology Management Letter for the FY 2007 CBP Financial Statement Audit\n\x0c                                                                                              APPENDIX A\n\n                                   US Customs and Border Protection\n                                Information Technology Management Letter\n                                           September 30, 2007\n\n             DESCRIPTION OF FINANCIAL SYSTEMS AND IT INFRASTRUCTURE \n\n\nBelow is a description of significant CBP financial management systems and supporting IT\ninfrastructure included in the scope of CBP\xe2\x80\x99s FY 2007 Financial Statement Audit.\nLocations of Review: The CBP \t                                                            .\nSystems Subject to Review:\n\xe2\x80\xa2\t                                                                        is CBP\xe2\x80\x99s financial management\n      system that consists of a \xe2\x80\x98core\xe2\x80\x99 system, which supports primary financial accounting and reporting\n      processes, and a number of additional subsystems for specific operational and administrative\n      management functions.             is a client/server-based financial management system that was\n      implemented beginning in FY 2004 to ultimately replace the                         -based financial\n      system using a phased approach.\n\n\xe2\x80\xa2\t                                                     is a collection of business process             -based\n      systems used by CBP to track, control, and process all commercial goods, conveyances and private\n      aircraft entering the U.S. territory for the purpose of collecting import duties, fees, and taxes owed\n      to the Federal government. Key application software within                 includes systems for data\n      input/output, entry and entry summary, and collection of revenue.\n\n\xe2\x80\xa2                                                              \xe2\x80\x93 Used for tracking seized assets, Customs\n      Forfeiture Fund, and fines and penalties.\n\n\n\n\n                                             13 \n\n    Information Technology Management Letter for the FY 2007 CBP Financial Statement Audit\n\x0c                               FOR OFFICIAL USE ONLY\n\n                          US Customs and Border Protection \n\n                       Information Technology Management Letter\n                                  September 30, 2007\n\n\n\n\n                                  APPENDIX B \n\n\n  FY 2007 NOTICES OF IT FINDINGS AND RECOMMENDATIONS \n\n\n\n\n\n                                         14\n\nInformation Technology Management Letter for the FY 2007 CBP Financial Statement Audit\n\x0c                                                                                                    APPENDIX B\n                                         US Customs and Border Protection\n                                      Information Technology Management Letter\n                                                 September 30, 2007\n\n\n                 CBP FY 2007 IT NOTICES OF FINDINGS AND RECOMMENDATIONS \n\n                          RELATED TO FINANCIAL SYSTEM SECURITY \n\n\n      Notices of Findings and Recommendations \xe2\x80\x93 Definition of Risk Ratings:\n\n      The Notices of Findings and Recommendations (NFR) were risk ranked as High, Medium, and Low\n      based upon the potential impact that each weakness could have on the CBP\xe2\x80\x99s control environment and\n      on the integrity of the financial data residing on the CBP\xe2\x80\x99s financial systems. In addition, analysis was\n      conducted collectively on all the NFRs to assess connections between individual NFRs, which when\n      joined together could lead to a control weakness occurring with more likelihood and/or higher impact\n      potential.\n\n      High Risk: A control weakness serious in nature to create a potential material misstatement to the\n      financial statements.\n\n      Medium Risk: A control weakness, in conjunction with other events, less severe - in nature than a\n      high risk issue, which could lead to a misstatement to the financial statements.\n\n      Low Risk: A control weakness minimal in impact to the financial statements.\n\n      The risk ratings included in this report are intended solely to assist management in prioritizing its\n      corrective actions.\n\n                                                                                            New      Repeat    Risk\n   NFR #                      Condition                         Recommendation\n                                                                                            Issue     Issue   Rating\nCBP-IT-07-01   Due to the design of       , certain        \xe2\x80\xa2   Develop and implement                    X      High\n               controls can be overridden without              a management review\n               supervisory approval. For example,              process of a control\n               when a CBP entry specialist attempts to         override report to\n               liquidate an import entry in       , the        facilitate independent\n               system displays a warning message,              review of any control\n               indicating that a drawback claim had            overrides that take place.\n               been filed against the import entry.        \xe2\x80\xa2   Implement the\n               However, entry specialists could                appropriate controls in\n               override the warning message without                   so that supervisory\n               supervisory review and process a                approval is required\n               refund without investigating pending            before a control override\n               drawback claims. The purpose of this            can occur.\n               warning message is to ensure that both\n               a refund and drawback are not paid on\n               the same goods. We also determined\n               that entry specialists could override\n               system edits designed to detect refunds\n               exceeding the total duty, tax, and fees\n               paid on an import entry.         does not\n               currently generate override reports for\n               supervisory review.\n\n               In FY 2007, we noted that there has\n               been little change in the status of this\n\n\n                                                15\n       Information Technology Management Letter for the FY 2007 CBP Financial Statement Audit\n\x0c                                                                                                     APPENDIX B\n                                        US Customs and Border Protection\n                                     Information Technology Management Letter\n                                                September 30, 2007\n\n\n                                                                                             New      Repeat    Risk\n   NFR #                      Condition                         Recommendation\n                                                                                             Issue     Issue   Rating\n               finding. CBP is developing a control\n               override report which will record all\n               control overrides that have taken place\n               for a period of time. Management\n               stated that       will not be\n               implemented in FY 2007. We\n               concluded that a control mechanism to\n               prevent overrides by specialists without\n               supervisory approval would be an\n               appropriate technical safeguard under\n               application controls.\n\nCBP-IT-07-02   A full listing of trade partners was        Identify all connections in                  X      Medium\n               never compiled to assess the full scope     place with the       and\n               of the status of connections to       .     account for each connection\n               We noted that a complete and accurate       with a documented ISA.\n               listing is still not maintained. Of those\n               connections that have been accounted\n               for, we noted that only 7% of identified\n               legacy connections had an ISA that has\n               not expired. A VPN solution is being\n               phased in and legacy connections are\n               being phased out and that significant\n               progress is being made to move all\n               existing trade partners to the new VPN\n               solution, in which they will obtain an\n               ISA documenting the connection.\n\nCBP-IT-07-03   CBP does not maintain a centralized         \xe2\x80\xa2    Continue work towards                   X         High\n               listing of contract personnel, including         implementation of a\n               employment status. The only method               contractor employee\n               CBP employs to track terminated                  tracking system.\n               contractors is the use of a report of       \xe2\x80\xa2 Deactivate all systems\n               users that had their mainframe accounts          access of terminated\n               deleted. We cannot acknowledge this              contractors immediately\n               list as representative of all terminated         upon separation from\n               contractors, since terminated contract           CBP.\n               personnel may not have mainframe\n                                                           \xe2\x80\xa2 Periodically distribute a\n               access or their access was not removed\n                                                                listing of terminated\n               after their termination.\n                                                                contract personnel to\n                                                                information system\n                                                                administrators so they\n                                                                remove user access and\n                                                                periodically assess\n                                                                contractor access to CBP\n                                                                systems.\nCBP-IT-07-04   We confirmed that in FY 2007, backup        Develop a method for                         X         Low\n               tapes do not have external labels           labeling tapes that will not\n               affixed in order to indicate the            interfere with the tape library\n               sensitivity of the data contained in the    machinery.\n\n                                                16\n       Information Technology Management Letter for the FY 2007 CBP Financial Statement Audit\n\x0c                                                                                                    APPENDIX B\n                                        US Customs and Border Protection\n                                     Information Technology Management Letter\n                                                September 30, 2007\n\n\n                                                                                            New      Repeat    Risk\n   NFR #                      Condition                         Recommendation\n                                                                                            Issue     Issue   Rating\n               tapes. Instead, containers in which the\n               tapes are stored are labeled with media\n               labels. Currently, CBP has obtained a\n               waiver which waives the responsibility\n               to label media directly. However, CBP\n               remains non-compliant and the risk still\n               remains.\n\nCBP-IT-07-05   We noted the following issues related       \xe2\x80\xa2   Configure                               X         High\n               to password parameters:                         password policies to\n               \xe2\x80\xa2                minimum password               reflect those set forth in\n                   length is set to six characters             CBP and DHS guidance.\n               \xe2\x80\xa2 Password complexity is not set on         \xe2\x80\xa2   Configure\n                   the                                         password policies to\n               \xe2\x80\xa2                minimum password               reflect those set forth in\n                   length is set to six characters             CBP and DHS guidance.\n               \xe2\x80\xa2 Password complexity is not set on\n                   the\n\nCBP-IT-07-06   We noted the following issues:              \xe2\x80\xa2   Modify CBP\xe2\x80\x99s automatic                  X      Medium\n               \xe2\x80\xa2 CBP\xe2\x80\x99s policy stated that sessions             session disconnection\n                  should automatically disconnect              policy so that it is\n                  after 30 minutes of inactivity,              consistent with DHS\n                  which is not consistent with DHS             policy.\n                  policy.                                  \xe2\x80\xa2   Modify CBP policy to\n               \xe2\x80\xa2 CBP\xe2\x80\x99s policy stated that the                  reflect that only the\n                  workstation should log off from all          password-protected\n                  connections after 5 minutes of               screensaver must be\n                  inactivity. According to applicable          activated after 5 minutes\n                  guidance, all system connections             of inactivity.\n                  do not have to be terminated after 5     \xe2\x80\xa2   Continue deployment of\n                  minutes of inactivity on the                                     and\n                  workstation.                                 Windows 2003 in order\n               \xe2\x80\xa2 CBP workstations could not                    to establish and maintain\n                  enforce the activation of a                  group policy and enforce\n                  password-protected screensaver               password-protected\n                  after five minutes of inactivity.            screensaver settings on\n                  The settings could be disabled or            the workstations.\n                  changed by individual users.\n\nCBP-IT-07-07   We determined that               does not   Implement procedures which                  X      Medium\n               have the ability to prevent developers      prevent the overwriting of\n               from overwriting existing code in the       development code in the\n               development environment. The                development environment.\n               developer is able to extract the code\n               from the development environment and\n               place it into a personal folder on the\n               user\xe2\x80\x99s personal computer. If multiple\n               users are modifying a program in their\n\n\n                                                17\n       Information Technology Management Letter for the FY 2007 CBP Financial Statement Audit\n\x0c                                                                                                      APPENDIX B\n                                         US Customs and Border Protection\n                                      Information Technology Management Letter\n                                                 September 30, 2007\n\n\n                                                                                              New      Repeat    Risk\n   NFR #                      Condition                           Recommendation\n                                                                                              Issue     Issue   Rating\n               own personal folders they may be \n\n               overwriting existing changes. \n\n\nCBP-IT-07-08   A solution has not been implemented to        \xe2\x80\xa2\t Configure the                            X      Medium\n               maintain             audit logs for an                 system to maintain\n               appropriate period of time. Audit logs           audit logs and track\n               are not being reviewed for security              security events\n\n               violations for the           .\n                  according to CBP and\n                                                                DHS policies.\n                                                             \xe2\x80\xa2\t That              audit\n                                                                logs be reviewed on a\n                                                                regular bases, according\n                                                                to CBP and DHS policy,\n                                                                to detect potential\n                                                                security events.\n\nCBP-IT-07-09   We noted that accounts are not                Implement a control to                      X         High\n               deactivated automatically after 30 days       automatically disable or \n\n               of inactivity. Accounts are disabled for \n    remove accounts after thirty \n\n               inactivity once a month using a \n             days of inactivity in the \n\n               manually initiated job.\n                      system.\n\nCBP-IT-07-10   We reviewed the procedures and            \xe2\x80\xa2       Continue to work                        X      Medium\n               evidence of the most recent \n                     towards improving the\n               recertification performed for physical \n          recertification process.\n               access to the data center. We noted the \n \xe2\x80\xa2\t      Require an access\n               following:                                        request form before\n               \xe2\x80\xa2 Two people had access that was                  access is granted to the\n                    not appropriately documented with            data center, as stated in\n                    an approved access request form.             policies and procedures.\n               \xe2\x80\xa2\t One terminated employee retained \xe2\x80\xa2             Remove terminated\n                    access after the recertification.            employees\xe2\x80\x99 access\n               \xe2\x80\xa2\t One user was marked to be                      immediately upon\n                    removed as a result of the                   termination of the\n                    recertification but was not removed          employee. \n\n                    appropriately. \n\n\nCBP-IT-07-11   CBP System Security does not                  \xe2\x80\xa2\t Maintain complete and                    X      Medium\n               consistently retain audit logs of                accurate records of\n\n               powerful               system utilities. \n                   logs\n\n               We reviewed the existence of \n                   according to CBP\n                             logs for a selection of dates      document retention \n\n               and noted that logs were not available \n         policy.\n\n               for a series of dates. We noted that \n        \xe2\x80\xa2\t Regularly review the\n               within a 90 day window, complete logs                        logs for\n               were available for all selected dates            suspicious activity\n               except one. For the year long window,            according to CBP policy.\n               17 summary reports were unavailable.\nCBP-IT-07-12   As identified in prior year issues            Ensure that                                 X      Medium\n\n                                                18\n       Information Technology Management Letter for the FY 2007 CBP Financial Statement Audit\n\x0c                                                                                                    APPENDIX B\n                                        US Customs and Border Protection\n                                     Information Technology Management Letter\n                                                September 30, 2007\n\n\n                                                                                            New      Repeat    Risk\n   NFR #                      Condition                         Recommendation\n                                                                                            Issue     Issue   Rating\n               reported in FY 2003, FY 2004, FY            is installed on all\n               2005 and FY 2006, we noted that             workstations under the\n               improvements are still needed in CBP\xe2\x80\x99s      control of CBP.\n               Incident Handling and Response\n               Capability which may potentially limit\n               CBP\xe2\x80\x99s ability to respond to incidents in\n               an appropriate manner. In FY 2007,\n               we noted that\n               will not be installed on all workstations\n               for the majority of the fiscal year.\n\nCBP-IT-07-13   During test work around the application     \xe2\x80\xa2   Work to eliminate the         X                Medium\n               of security patches, we noted that a            use of local workgroups\n               complete listing of workstations is not         and include all CBP\n               maintained by System Security. We               workstations in a CBP\n               noted that System Security does not             administered domain.\n               have the ability to quickly compile a       \xe2\x80\xa2   Compile and regularly\n               listing of all workstations under CBP\xe2\x80\x99s         maintain a full and\n               ownership.                                      accurate listing of CBP\n                                                               workstations and use this\n                                                               list to monitor and\n                                                               maintain patch levels for\n                                                               all CBP workstations.\n\nCBP-IT-07-14   We noted that tape withdrawal requests      Monitor tape withdrawal                     X         Low\n               are not documented.                         requests that come from\n                                                           employees and log these\n                                                           requests to ensure that tape\n                                                           withdrawals are being\n                                                           completed appropriately.\n\n\nCBP-IT-07-15   We noted that the        is currently       \xe2\x80\xa2   Change the                              X         High\n               configured to disable accounts after 90         configuration for       to\n               days of inactivity. We also noted that          disable accounts after 30\n               the job is configured to run weekly,            days of inactivity.\n               which does not comply with the              \xe2\x80\xa2   Change the job schedule\n               requirement for automatic disabling of          for the deactivation\n               accounts.                                       procedure to run on a\n                                                               daily basis to minimize\n                                                               the time difference\n                                                               between the inactivity\n                                                               period and deactivation\n                                                               time.\n\nCBP-IT-07-16   We noted that the         has been          \xe2\x80\xa2   Require supervisory                     X      Medium\n               adjusted to limit active emergency              approval each time a\n               access to 24 hours after the request.           user requires activation\n               We noted however that the emergency             of emergency access\n               table is still being used and that\n\n                                                19\n       Information Technology Management Letter for the FY 2007 CBP Financial Statement Audit\n\x0c                                                                                                  APPENDIX B\n                                        US Customs and Border Protection\n                                     Information Technology Management Letter\n                                                September 30, 2007\n\n\n                                                                                          New      Repeat    Risk\n   NFR #                     Condition                         Recommendation\n                                                                                          Issue     Issue   Rating\n               administrator or supervisory approval is       abilities.\n               not required each time emergency           \xe2\x80\xa2   Perform regular\n               access is activated.                           recertifications of the\n                                                              emergency access table\n                                                              to ensure persons with\n                                                              the capability to request\n                                                              emergency access need\n                                                              to remain on the\n                                                              emergency access table.\n\nCBP-IT-07-17   CBP System Security does not conduct       Implement policies and                     X      Medium\n               reviews of powerful system utilities.      procedures that have been\n               Specifically, the utilities                developed for monitoring\n                                                   are    and reviewing logs of\n               not reviewed by management.                powerful system utilities for\n                                                          suspicious activity.\n               Additionally, while procedures are now\n               in place for review of these logs, these\n               procedures were not in place for the\n               majority of the fiscal year.\n\nCBP-IT-07-18   We noted there are currently no            \xe2\x80\xa2   Develop formal               X                Medium\n               procedures in place for the completion         procedures for\n               of semi-annual recertifications of             recertifying\n                      accounts. We also note that a           accounts and access to\n               recertification of            accounts         shared data.\n               is not performed on a semi-annual          \xe2\x80\xa2   Perform regular\n               basis.                                         recertifications of\n                                                                    accounts and\n                                                              access to shared data as\n                                                              required by developed\n                                                              procedures.\n\nCBP-IT-07-19   We noted that the completion of            \xe2\x80\xa2   Ensure that security                   X         Low\n               security awareness training is not             awareness training is\n               appropriately tracked at CBP. We               completed in a timely\n               noted that out of a selection of 45 CBP        manner by all employees\n               employees, one employee maintained             with access to CBP\n               access to       without having                 information systems.\n               completed the refresher security           \xe2\x80\xa2   Continue to work\n               awareness training course. The                 towards implementing\n               individual completed an awareness              online training for all\n               course that was not the CBP-wide               CBP personnel to\n               security awareness training required for       facilitate automated\n               all CBP employees.                             tracking of the\n                                                              completion of security\n                                                              awareness training.\n\nCBP-IT-07-20   We noted several access control            \xe2\x80\xa2   Automate the                           X      Medium\n               weaknesses for the VPN solution\n\n                                                20\n       Information Technology Management Letter for the FY 2007 CBP Financial Statement Audit\n\x0c                                                                                                     APPENDIX B\n                                         US Customs and Border Protection\n                                      Information Technology Management Letter\n                                                 September 30, 2007\n\n\n                                                                                             New      Repeat    Risk\n   NFR #                      Condition                          Recommendation\n                                                                                             Issue     Issue   Rating\n               during test work. Specifically, we               recertification process in\n               noted:                                           order to remove the need\n               \xe2\x80\xa2 The VPN sever does not maintain                for after-the-fact\n                   information on user account                  recertification via\n                   creation and inactivity and                  methods not documented\n                   therefore cannot terminate inactive          in recertification\n                   accounts or provide audit                    procedures (email,\n                   information regarding the creation           verbal, etc.)\n                   of VPN accounts,                         \xe2\x80\xa2   Configure the VPN\n               \xe2\x80\xa2 Accounts that did not recertify                servers to store\n                   during the recertification time              information about the\n                   period or were marked for deletion           creation dates and\n                   during the recertification period            activity of users in order\n                   remained active on the system after          to be able to properly\n                   the accounts should have been                identify inactive\n                   deactivated by VPN administrators,           accounts and allow for\n               \xe2\x80\xa2 Procedures for recertifying                    their deletion.\n                   accounts were not fully                  \xe2\x80\xa2   Improve the process of\n                   implemented and accounts were                deactivating accounts at\n                   recertified by means beyond those            the end of the\n                   identified in documented                     recertification period and\n                   procedures                                   ensure that all accounts\n                                                                that should be removed\n                                                                from the system are\n                                                                removed.\n\nCBP-IT-07-21   We noted that when changes to a user\xe2\x80\x99s       Formalize procedures for                    X      Medium\n               access are performed in                  ,   reviewing these access\n               the log of these events is not regularly     change logs and that review\n               reviewed by personnel independent            of these logs is implemented\n               from those individuals that made the         on a periodic basis as set\n               changes.                                     forth in criteria.\n\nCBP-IT-07-22   We noted that the following documents        Implement procedures in                     X         Low\n               as not having documented approval            OIT divisions to perform a\n               and/or approval dates:                       review of all documentation\n               \xe2\x80\xa2                                            to update, consolidate and\n                         \xe2\x80\x93 No approval for majority of      approve the documented\n                   fiscal year                              procedures in use by\n               \xe2\x80\xa2   Configuration Management Code            operational personnel.\n                   Migration Procedures for       \xe2\x80\x93\n                   No approval or effective date\n               \xe2\x80\xa2   Configuration Management Code\n                   Migration Procedures for       \xe2\x80\x93\n                   No approval date or effective date\n               \xe2\x80\xa2   Production Management Team\n                   Procedures \xe2\x80\x93 No approval, no\n                   change history\n               \xe2\x80\xa2          Operations: Standard\n\n\n                                                21\n       Information Technology Management Letter for the FY 2007 CBP Financial Statement Audit\n\x0c                                                                                                     APPENDIX B\n                                        US Customs and Border Protection\n                                     Information Technology Management Letter\n                                                September 30, 2007\n\n\n                                                                                             New      Repeat    Risk\n   NFR #                      Condition                         Recommendation\n                                                                                             Issue     Issue   Rating\n                   Operating Procedures \xe2\x80\x93 No\n                   approval\n\nCBP-IT-07-23   3 out of 5 selected    Emergency            Consistently apply                 X                Medium\n               Changes did not have post-                  emergency change\n               implementation Executive Approval as        management post-\n               required by the new OIT emergency           implementation procedures\n               change procedures.                          to all     emergency\n                                                           changes. Furthermore, post-\n                                                           implementation procedures\n                                                           should be regularly reviewed\n                                                           and provide regular feedback\n                                                           to change administrators to\n                                                           determine any post-\n                                                           implementation steps that\n                                                           may have been missed due to\n                                                           the expeditious nature of\n                                                           emergency changes.\n\nCBP-IT-07-24   The       recertification process has       \xe2\x80\xa2   Apply procedures                         X      Medium\n               several weaknesses. Of the 45 selected          outlined in the newly\n               ports, 45 ports none had formally               distributed memorandum\n               documented communication between                from Office of Field\n               the responsible DFO and OFO                     Operations dated April\n               headquarters as directed by the FY              27, 2007\n               2006 memorandum put out by Office of        \xe2\x80\xa2   Consistently document\n               Finance.                                        results of recertifications\n                                                               at the port level and\n                                                               maintain documentation.\n\nCBP-IT-07-25   We noted that the            does not       \xe2\x80\xa2   Formally document the          X                   Low\n               have an ISSO, but has been assigned an          appointment of\n               interim ISSO. We noted that the                                     with\n               interim ISSO is not formally                    a formal designation\n               documented as the             ISSO.             letter, and\n                                                           \xe2\x80\xa2   Appoint a full time ISSO\n                                                               for the            and\n                                                               document that\n                                                               appointment with a\n                                                               formal designation letter.\n\nCBP-IT-07-26   We noted that evidence of the review        Perform periodic review of         X                Medium\n               of            security violation logs for   access violation logs.\n               6 of 25 dates were not available for\n               review.\n\nCBP-IT-07-27   We noted that authorizations are not        \xe2\x80\xa2   Develop and implement          X                   High\n               being maintained for personnel that             procedures to restrict\n               have administrator access to                    access to\n\n\n                                                22\n       Information Technology Management Letter for the FY 2007 CBP Financial Statement Audit\n\x0c                                                                                                  APPENDIX B\n                                        US Customs and Border Protection\n                                     Information Technology Management Letter\n                                                September 30, 2007\n\n\n                                                                                          New      Repeat    Risk\n   NFR #                      Condition                        Recommendation\n                                                                                          Issue     Issue   Rating\n                                                              administrative\n                                                              capabilities, and\n                                                          \xe2\x80\xa2   Require documented\n                                                              authorization requests\n                                                              and approval for each\n                                                              person requiring access\n                                                              to the\n                                                              administrative\n                                                              capabilities.\n\nCBP-IT-07-28   We noted that access policies and          \xe2\x80\xa2   Develop and implement        X                Medium\n               procedures have not been formally              access policies and\n               documented for the              . We           procedures for the\n               also noted that access authorization                  to document\n               forms were not completed for 27 out of         formal methods for\n               45 accounts created in FY 2007.                requesting and\n                                                              approving access for the\n                                                                          .\n                                                          \xe2\x80\xa2   Require documented\n                                                              authorization requests\n                                                              and approval for each\n                                                              person requiring access\n                                                              to the\n\nCBP-IT-07-29   We noted that procedures have been         \xe2\x80\xa2   Implement the recently                 X      Medium\n               developed and a new termination form           developed procedures\n               (CF-241) has been developed for use in         for completion of the\n               terminating employees. While these             termination forms and\n               procedures address the submission of           notify System Security\n               the form to System Security and require        for all terminating\n               notification of removal of system              employees so that\n               access from System Security, the new           systems access can be\n               procedures were developed and                  removed appropriately.\n               activated in June, 2007. The\n               procedures are currently not\n               implemented, however.\n\nCBP-IT-07-30   We noted that multiple terminated          \xe2\x80\xa2   Work with other US           X                   High\n               employees retained active accounts on          CBP Offices and within\n               the      . They were disabled as a             OIT to receive notice of\n               result of accounts being inactive for 90       termination of\n               days. Therefore, these accounts were           employees in a timely\n               active 90 days after the employee              manner so that accounts\n               terminated from US CBP.                        can be deactivated on the\n                                                              departure of the\n                                                              employee.\n                                                          \xe2\x80\xa2   Terminate accounts for\n                                                              terminated employees in\n                                                              a timely manner.\n\n\n                                                23\n       Information Technology Management Letter for the FY 2007 CBP Financial Statement Audit\n\x0c                                                                                                   APPENDIX B\n                                        US Customs and Border Protection\n                                     Information Technology Management Letter\n                                                September 30, 2007\n\n\n                                                                                           New      Repeat    Risk\n   NFR #                      Condition                       Recommendation\n                                                                                           Issue     Issue   Rating\nCBP-IT-07-31   We noted that 12 of the 45 selected       \xe2\x80\xa2   Apply procedures                          X     Medium\n               ports/headquarters did not have self          outlined in the newly\n               inspection worksheets completed.              distributed memorandum\n               Accordingly, we were not able to              from Office of Field\n               determine whether specific       high         Operations\n               risk combinations of roles were           \xe2\x80\xa2   Consistently document\n               performed at these ports/headquarters.        results of recertifications\n                                                             at the port level.\n\nCBP-IT-07-32   We selected 20 out of 201 changes and     Ensure that all program            X                Medium\n               noted the following:                      offices appropriately\n               \xe2\x80\xa2 9 of the 20 changes did not have        document all test data,\n                   formal test plans or documented       transactions, and program\n                   results                               change results.\n               \xe2\x80\xa2 None of the changes showed\n                   evidence of review of the\n                   documented test results.\n\nCBP-IT-07-33   We selected 15 of 90       changes and    Ensure that all program            X                Medium\n               noted the following:                      offices appropriately\n               \xe2\x80\xa2 3 of the 15 selected changes did not    document all test data,\n                   have formally documented test         transactions, and program\n                   plans or test results.                change results to monitor the\n               \xe2\x80\xa2 None of the changes showed              quality of program changes.\n                   evidence of review of the test\n                   results documented.\n\nCBP-IT-07-34   We noted that virus protection is not     Ensure that antivirus              X                   High\n               installed on all CBP workstations.        protection is installed on all\n               Specifically, we noted at the time of     workstations under the\n               testing that approximately 6,000 of       control of CBP.\n               CBP\xe2\x80\x99s approximate 38,000\n               workstations do not have antivirus\n               protection installed. Since the initial\n               testing was performed, we noted that\n               immediate remediation has begun and\n               as of September 28, 2007,\n               improvements have been made but\n               1,557 out of 42,429 workstations still\n               are missing virus protection software.\n\nCBP-IT-07-35   During our technical testing, eighteen    Implement corrective actions                 X         High\n               configuration management exceptions       to ensure that information\n               were identified                           systems that support the\n                                         Domain          application and other\n               Controllers and hosts supporting the      financial systems are\n                    application.                         configured to the security\n                                                         requirements outlined in\n                                                         DHS policy. Configurations\n\n\n                                                24\n       Information Technology Management Letter for the FY 2007 CBP Financial Statement Audit\n\x0c                                                                                                APPENDIX B\n                                        US Customs and Border Protection\n                                     Information Technology Management Letter\n                                                September 30, 2007\n\n\n                                                                                        New      Repeat    Risk\n   NFR #                     Condition                      Recommendation\n                                                                                        Issue     Issue   Rating\n                                                       that should be addressed\n                                                       include, but are not limited\n                                                       to: stronger password\n                                                       configurations, restrictions\n                                                       on access granted to ports on\n                                                       servers and audit log\n                                                       generation and maintenance.\n\nCBP-IT-07-36   During our technical testing, thirty-   Complete corrective actions                 X         High\n               seven patch management exceptions       surrounding the\n               were identified on                      vulnerabilities identified and\n                                         Domain        implement policies and\n               Controllers and hosts supporting the    procedures to ensure that the\n                    application.                       information systems that\n                                                       support and maintain CBP\n                                                       financial data are secured\n                                                       with the most up to date and\n                                                       tested patches provided by\n                                                       vendors. Patches that have\n                                                       been validated as appropriate\n                                                       for CBP information systems\n                                                       should be applied to these\n                                                       systems to address the\n                                                       conditions noted.\n\n\n\n\n                                                25\n       Information Technology Management Letter for the FY 2007 CBP Financial Statement Audit\n\x0c                          US Customs and Border Protection\n                       Information Technology Management Letter\n                                  September 30, 2007\n\n\n\n\n                                  APPENDIX C \n\n\n    STATUS OF PRIOR YEAR NOTICES OF FINDINGS AND \n\n RECOMMENDATIONS AND COMPARISON TO CURRENT YEAR \n\n     NOTICES OF FINDINGS AND RECOMMENDATIONS\n\n\n\n\n\n                                         26\n\nInformation Technology Management Letter for the FY 2007 CBP Financial Statement Audit\n\x0c                                                                                    APPENDIX C\n                             US Customs and Border Protection\n                          Information Technology Management Letter\n                                     September 30, 2007\n\n\nSTATUS OF PRIOR YEAR CBP IT NOTICES OF FINDINGS AND RECOMMENDATIONS \n\n\n   NFR No.                                                           Disposition\n                Description\n                                                            Closed                 Repeat\n                Due to the design of      , certain\n                controls can be overridden without\n                supervisory approval. For example,\n                when a CBP entry specialist attempts to\n                liquidate an import entry in      , the\n                system displays a warning message,\n                indicating that a drawback claim had                       Reissued\n CBP-IT-06-01\n                been filed against the import entry.                       See CBP-IT-07-01\n                However, entry specialists could\n                override the warning message without\n                supervisory review and process a refund\n                without investigating pending drawback\n                claims.\n\n                CBP management has not established\n                ISAs for legacy connections with        .\n                Additionally, the majority of financial                    Reissued\n CBP-IT-06-02\n                institutions connecting with       do not                  See CBP-IT-07-02\n                have ISAs.\n\n                CBP management has not performed a\n                formal certification and accreditation on\n                the             as a whole. Specifically,\n                a formal security control assessment and\n CBP-IT-06-03                                                 X\n                a formal risk assessment have not been\n                performed for components of the\n\n\n                CBP does not maintain a centralized\n                listing of separated contract personnel.\n                The only method CBP employs to track\n                                                                           Reissued\n CBP-IT-06-04   terminated contractors is the use of a\n                                                                           See CBP-IT-07-03\n                report of users that had their\n                account deleted.\n\n                CBP management has not performed a\n                formal review of individuals with\n                physical access to the data center.\n                Additionally, CBP management has not                       Reissued\n CBP-IT-06-05\n                established formal procedures for                          See CBP-IT-07-10\n                revoking physical access to\n                buildings.\n\n                CBP has not performed a separate\n                certification and accreditation for the\n CBP-IT-06-06   applications remaining in the seven           X\n                business process areas defined in the\n                Administrative Applications C&A.\n\n                                         27\nInformation Technology Management Letter for the FY 2007 CBP Financial Statement Audit\n\x0c                                                                                        APPENDIX C\n                               US Customs and Border Protection\n                            Information Technology Management Letter\n                                       September 30, 2007\n\n\n   NFR No.                                                               Disposition\n                  Description\n                                                                Closed                 Repeat\n                       does not have an automated\n                  mechanism to detect and deactivate\n CBP-IT-06-07     users that have not logged on for 90 days       X\n                  per DHS policy.\n\n                  Field offices are not consistently\n                  reporting the completion of\n                  recertifications at their ports to the OFO\n                  headquarters. Email confirmation of\n                  completion of         recertifications were\n                  not available for Boston, Baltimore,\n                                                                               Reissued\n CBP-IT-06-08 \n   New Orleans, Miami, and Calgary\n                                                                               See CBP-IT-07-24\n                  (Canada) field offices, and the Los\n                  Angeles field office only provided an\n                  email stating that recertification process\n                  exists, but did not confirm that\n                  recertifications had been completed.\n\n                  We could not obtain the requested\n                  evidence of        recertifications from\n                  CBP for any of the 44 selected field\n                  level ports to determine whether                             Reissued\n CBP-IT-06-09 \n\n                  accounts with sensitive and high-risk                        See CBP-IT-07-31\n                  combination of functions are reviewed\n                  for appropriateness.\n\n                  Improvements are still needed in CBP\xe2\x80\x99s\n                  Incident Handling and Response\n                  Capability which may potentially limit\n                  CBP\xe2\x80\x99s ability to respond to incidents in\n                  an appropriate manner. Specifically, we\n                  noted the following issues:\n                                                                               Reissued\n CBP-IT-06-10 \n   \xe2\x80\xa2\t                           will not be\n                                                                               See CBP-IT-07-12\n                      installed on all workstations for the\n                      majority of the fiscal year.\n                  \xe2\x80\xa2\t 3 of 8 selected system flaw\n                      notifications did not have an\n                      associated Service Center ticket.\n\n                  We noted that the process for deletion of\n                       accounts for terminated\n                  government and contractor personnel\n                  may be utilizing erroneous data.\n                  Specifically, we noted that the files\n CBP-IT-06-11 \n   being sent from the              Security       X\n\n                  group to the      Security team to\n                  terminate      accounts of separated\n                  employees do not display the true status\n                  of employees. The                query\n                  producing the separated contractor file\n\n                                         28\n\nInformation Technology Management Letter for the FY 2007 CBP Financial Statement Audit\n\x0c                                                                                        APPENDIX C\n                               US Customs and Border Protection\n                            Information Technology Management Letter\n                                       September 30, 2007\n\n\n   NFR No.                                                               Disposition\n                  Description\n                                                                Closed                 Repeat\n                  includes individuals with\n                  accounts that have been locked after 30\n                  days of inactivity. Additionally, the\n                  separated government employees file is\n                  not accurate as many government\n                  employees are separated and return to\n                  CBP as contractors. Consequently, the\n                       Security Group does not deactivate\n                  the accounts for these instances.\n\n                  We noted that 24 out of 45 selected\n                  individuals did not have formally\n                  documented VPN access authorization\n                  forms. Additionally, CBP has not                             Reissued\n CBP-IT-06-12\n                  implemented formal procedures for VPN                        See CBP-IT-07-20\n                  recertification for the majority of FY\n                  2006.\n\n                  CBP System Security does not conduct\n                  reviews of powerful system utilities.\n                  Specifically, management does not\n                                                                               Reissued\n CBP-IT-06-13     review the utilities\n                                                                               See CBP-IT-07-17\n\n\n\n                  Multiple methods of termination of\n                              accounts are used by Systems\n                  Security personnel (i.e. electronic mail,\n                  phone calls, and termination checklists).\n                  We selected 45 terminated employees to\n                  determine whether termination\n                  checklists had been consistently\n                  completed. Of the 45 employees, only\n                  30 forms were provided. Of these 30\n                                                                               Reissued\n CBP-IT-06-14 \n   forms, we noted that 9 out of 30 forms\n                                                                               See CBP-IT-07-29\n                  did not have supervisory signature,\n                  which signifies completion of the form\n                  to include notification sent to System\n                  Security for removal of logical access to\n                  applications. We noted that termination\n                  checklists (CF-241) are not consistently\n                  completed for separating employees\n                  throughout the organization.\n\n                  Backup tapes do not have affixed\n                  external labels to indicate the sensitivity                  Reissued\n CBP-IT-06-15\n                  of the data contained in the tapes.                          See CBP-IT-07-04\n\n                  CBP System Security does not have                            Reissued\n CBP-IT-06-16\n                  formal policies and procedures in place                      See CBP-IT-07-17\n\n\n                                         29\n\nInformation Technology Management Letter for the FY 2007 CBP Financial Statement Audit\n\x0c                                                                                    APPENDIX C\n                            US Customs and Border Protection\n                         Information Technology Management Letter\n                                    September 30, 2007\n\n\n   NFR No.                                                           Disposition\n                Description\n                                                            Closed                 Repeat\n                for monitoring powerful/sensitive\n                system utilities.\n\n                Improvements still needed in CBP\xe2\x80\x99s\n                technical security controls. Related to\n                issues reported in FY02, FY03 and\n                FY04 findings regarding host and\n                network based security system access\n                deficiencies, we noted the following:\n\n                \xe2\x80\xa2   CBP has confirmed that they will\n                    not be implementing the Passfilt.dll\n                    system control program to enforce\n                    strong passwords or the Windows\n                        password protection feature\n                    enhancement upgrade referred to as\n\n                \xe2\x80\xa2   CBP has not made the configuration\n                    changes to the Windows\n                                        that was\n                    compromised in FY03 intrusion\n                    tests.                                                 Reissued\n CBP-IT-06-17   \xe2\x80\xa2   Discovered key systems\xe2\x80\x99 domains in                     See CBP-IT-07-35\n                    targeting for potential unauthorized                   and CBP-IT-07-36\n                    access attempts where we were able\n                    to identify major CBP network\n                    domains.\n                \xe2\x80\xa2   Exploited a system vulnerability that\n                    had not been corrected.\n                \xe2\x80\xa2   We confirmed that the number of\n                    Domain Administrators on selected\n                    Domains has increased since 2005.\n                \xe2\x80\xa2   ESM identified weak passwords,\n                    expired passwords,\n                    misconfigurations, and missing\n                    patches.\n                \xe2\x80\xa2   Identified vulnerabilities on an\n                    Oracle database which had critical\n                    patches missing, weak passwords\n                    and auditing is not enabled.\n\n                We noted the following issues related to\n                password parameters:\n\n                \xe2\x80\xa2                minimum password                          Reissued\n CBP-IT-06-18       length is set to six characters.                       See CBP-IT-07-05\n                \xe2\x80\xa2                minimum password\n                    length is set to six characters.\n                \xe2\x80\xa2   Password complexity is not set on\n\n                                         30\nInformation Technology Management Letter for the FY 2007 CBP Financial Statement Audit\n\x0c                                                                                      APPENDIX C\n                              US Customs and Border Protection\n                           Information Technology Management Letter\n                                      September 30, 2007\n\n\n   NFR No.                                                             Disposition\n                  Description\n                                                              Closed                 Repeat\n                     the         .\n                  \xe2\x80\xa2\t Password complexity is not set on\n                         .\n                  \xe2\x80\xa2\t Password complexity is not set on\n                     the         .\n\n                  We noted the following issues related to\n                  automatic session disconnection:\n\n                  \xe2\x80\xa2\t CBP\xe2\x80\x99s policy states that sessions\n                     should be automatically\n                     disconnected after 30 minutes of\n                     inactivity, which is not consistent\n                     with DHS\xe2\x80\x99 policy.\n                  \xe2\x80\xa2\t CBP\xe2\x80\x99s policy states that the\n                     workstation should log off from all\n                     connections after 5 minutes of\n                     inactivity, which is a documentation\n                     error. According to applicable\n                                                                             Reissued\n CBP-IT-06-19 \n      guidance, all system connections do\n                                                                             See CBP-IT-07-06\n                     not have to be terminated after 5\n                     minutes of inactivity on the\n                     workstation.\n                  \xe2\x80\xa2\t       sessions are configured to\n                     terminate after 60 minutes of\n                     inactivity.\n                  \xe2\x80\xa2\t CBP workstations cannot enforce\n                     the activation of a password-\n                     protected screensaver after 5\n                     minutes of inactivity. The settings\n                     can be disabled or changed by\n                     individual users.\n\n                       is not configured to disable user\n                  accounts after 3 consecutive failed logon\n                  attempts.\n\n CBP-IT-06-20 \n   Additionally, per observation, we noted       X\n\n                               accounts were not locked\n                  after three consecutive failed login\n                  attempts.\n\n                  CBP does not document formal approval\n                  of system changes for the       system.\n                  We selected 8       regularly scheduled\n CBP-IT-06-21     changes to determine if formal approval       X\n                  was given and documented. Per\n                  inspection of documentation, we were\n                  informed that there is no formally\n\n\n                                         31\n\nInformation Technology Management Letter for the FY 2007 CBP Financial Statement Audit\n\x0c                                                                                       APPENDIX C\n                               US Customs and Border Protection\n                            Information Technology Management Letter\n                                       September 30, 2007\n\n\n   NFR No.                                                              Disposition\n                  Description\n                                                               Closed                 Repeat\n                  documented approval for the 8 selected\n                  changes.\n\n                  We noted weaknesses related to the\n                  deposit and withdrawal of backup tapes:\n\n                  \xe2\x80\xa2\t Tape deposit receipts for 2 of 25\n                                                                              Reissued\n CBP-IT-06-22 \n      selected dates were not available.\n                                                                              See CBP-IT-07-14\n                  \xe2\x80\xa2\t Withdrawal of backup tapes from\n                     the off-site storage facility is not\n                     logged.\n\n                  CBP System Security does not\n                  consistently retain audit logs of powerful\n                  mainframe system utilities. Specifically,\n                  we selected 25                reports to\n                                                                              Reissued\n CBP-IT-06-23 \n   determine if powerful               system\n                                                                              See CBP-IT-07-11\n                  utilities are being consistently logged.\n                  We determined that 5 out of the 25\n                  selected logs were missing.\n\n                  We determined that               does not\n                  have the ability to prevent developers\n                  from overwriting existing code in the\n                  development environment. The\n                  developer is able to extract the code\n                  from the development environment and                        Reissued\n CBP-IT-06-24 \n\n                  place it into a personal folder on the                      See CBP-IT-07-07\n                  user\xe2\x80\x99s personal computer. If multiple\n                  users are modifying a program in their\n                  own personal folders they may be\n                  overwriting existing changes.\n\n                  Accounts are not deactivated after 90\n                  days of inactivity with respect to the\n                       system. We determined through\n                                                                              Reissued\n CBP-IT-06-25     inspection of audit evidence acquired\n                                                                              See CBP-IT-07-15\n                  from        that the defined deactivation\n                  period is, in fact, 180 days.\n\n                              Security Administrators do\n                  not keep audit logs for the prescribed\n                  period of time. Audit logs are only\n                  available for, at the most, the past three\n                  months. Logs are not maintained                             Reissued\n CBP-IT-06-26 \n\n                  beyond the configured space for the log                     See CBP-IT-07-08\n                  file. We also noted that\n                  Security Administrators do not review\n                  audit logs.\n\n\n                                         32\n\nInformation Technology Management Letter for the FY 2007 CBP Financial Statement Audit\n\x0c                                                                                       APPENDIX C\n                               US Customs and Border Protection\n                            Information Technology Management Letter\n                                       September 30, 2007\n\n\n   NFR No.                                                              Disposition\n                  Description\n                                                               Closed                 Repeat\n                  We noted that accounts are not\n                  deactivated after 90 days of inactivity on\n                  the            . We determined that the                     Reissued\n CBP-IT-06-27\n                  removal of inactive             accounts                    See CBP-IT-07-09\n                  is a manual process.\n\n                              are not fully documented for\n                       . The ISA documenting the\n                  connection between          America and\n                  CBP is currently out of date. In\n CBP-IT-06-28 \n                                                  X\n\n                  addition, the connection that exists\n                  between Treasury and CBP is currently\n                  not officially documented.\n\n                  The documentation of completed initial\n                  security awareness training is not\n                  properly maintained. We selected\n                  security awareness training\n                                                                              Reissued\n CBP-IT-06-29 \n   documentation for 45 users. Per\n                                                                              See CBP-IT-07-19\n                  inspection of documentation, 13 of 45\n                  did not have security awareness training\n                  certificates documented.\n\n                  Contractor access request forms for the\n                              could not be adequately\n                  tested. We noted that no list of\n                  contractors hired to work at CBP is\n                                                                              Reissued\n CBP-IT-06-30 \n   maintained. Accordingly, audit\n                                                                              See CBP-IT-07-03\n                  procedures requiring a sample of\n                  contractor access request forms could\n                  not be requested.\n\n                        has excessive access to emergency\n                  processing capabilities. We noted that\n                  after an initial authorization to be added\n                  to an emergency user table in         ,a\n                  user can repeatedly request that their\n                  emergency access be reinstated, without\n                  being reauthorized. While emergency\n                  access in        can expire in no more                      Reissued\n CBP-IT-06-31 \n\n                  than nine days, some users renew their                      See CBP-IT-07-16\n                  emergency access every nine days. We\n                  noted that CBP has not implemented an\n                  effective method of controlling this\n                  access, as users are not required to\n                  reauthorize their emergency access each\n                  time it is requested.\n\n                  Access change audit logs are not                            Reissued\n CBP-IT-06-32\n                  reviewed in             . CBP                               See CBP-IT-07-21\n\n\n                                         33\n\nInformation Technology Management Letter for the FY 2007 CBP Financial Statement Audit\n\x0c                                                                                      APPENDIX C\n                              US Customs and Border Protection\n                           Information Technology Management Letter\n                                      September 30, 2007\n\n\n   NFR No.                                                             Disposition\n                  Description\n                                                              Closed                 Repeat\n                  management does not independently\n                  review the changes that are put into\n                  place by the              security\n                  administrators.\n\n                  Four       administrators share an\n                  administrator account on the\n CBP-IT-06-34                                                   X\n\n                  We determined that the following\n                  documents have not been formally\n                  approved:\n\n                  \xe2\x80\xa2\n\n                         \xe2\x80\x93 No approval.\n                  \xe2\x80\xa2 Configuration Management Code\n                    Migration Procedures for\n                                               has no\n                    authorization.\n                  \xe2\x80\xa2 Acquisition Planning and Selection                       Reissued\n CBP-IT-06-36 \n\n                    and Development Process has no                           See CBP-IT-07-22\n                    authorization.\n                  \xe2\x80\xa2 Configuration Management Code\n                    Migration Procedure for Systems,\n                    Applications, and Products has no\n                    authorization.\n                  \xe2\x80\xa2 Production Management Team\n                    Procedures \xe2\x80\x93 No approval, no change\n                    history.\n                  \xe2\x80\xa2       Operations: Standard Operating\n                    Procedures \xe2\x80\x93 No approval.\n\n                  User acceptance testing for\n                                             Remedy\n CBP-IT-06-37                                                   X\n                  was not formally documented.\n\n                  We noted that one individual with\n                        administrator privileges did not\n                  have justified access.\n\n                  We noted that there are instances where\n                        locks security administrator\n CBP-IT-06-38     accounts due to various reasons that do       X\n\n                  not require documented approvals for\n                  reinstating the user account.\n\n                  Additionally, we noted that instances\n                  where the       security administrator is\n                  new or reinstatement of\n\n                                         34\n\nInformation Technology Management Letter for the FY 2007 CBP Financial Statement Audit\n\x0c                                                                                   APPENDIX C\n                            US Customs and Border Protection\n                         Information Technology Management Letter\n                                    September 30, 2007\n\n\n   NFR No.                                                          Disposition\n                Description\n                                                           Closed                 Repeat\n                suspended/deleted accounts is needed, a\n                documented approval is required. We\n                noted that due to a system limitation\n                within       , management cannot\n                produce a system-generated list of field\n                      security administrators that\n                differentiates between the two cases.\n\n                We noted that 1 out of 3\n                job schedule changes did not have\n CBP-IT-06-39                                                X\n                documented approval.\n\n\n\n\n                                         35\n\nInformation Technology Management Letter for the FY 2007 CBP Financial Statement Audit\n\x0c                          US Customs and Border Protection\n                       Information Technology Management Letter\n                                  September 30, 2007\n\n\n\n\n                                  Appendix D \n\n\n\n  Management Response to Draft CBP IT Management Letter\n\n\n\n\n\n                                         36\n\nInformation Technology Management Letter for the FY 2007 CBP Financial Statement Audit\n\x0c                                                                           APPENDIX D\n                          US Customs and Border Protection\n                       Information Technology Management Letter\n                                  September 30, 2007\n\n\n\n\n                                         37\nInformation Technology Management Letter for the FY 2007 CBP Financial Statement Audit\n\x0c                                                                                 APPENDIX D\n                             US Customs and Border Protection\n                          Information Technology Management Letter\n                                     September 30, 2007\n\n\nSystem Software\n\nCBP concurred with KPMG\xe2\x80\x99s recommendations in this area. Steps have been taken to ensure\nthat the policies and procedures which have been developed for monitoring audit logs are\nfully implemented. POAMs have been implemented for the NFRs and their status is provided\nin the attachment.\n\nService Continuity\n\nCBP concurred with KPMG\xe2\x80\x99s recommendations in this area. Steps have been taken to ensure\nappropriate labeling of all computer peripheral media and the formalizing of media\nwithdrawal requests. POAMs have been implemented for the NFRs and their status is\nprovided in the attachment.\n\nApplication Software Development and Change Control\n\nCBP concurred with KPMG\xe2\x80\x99s recommendations in this area. Separation of roles between\ndevelopment and production environments has been established.     codes have been\nconfigured for the \xe2\x80\x9cProductive\xe2\x80\x9d setting, while  configuration management and change\ncontrol measures are continually upgraded. POAMs have been implemented for the NFRs\nand their status is provided in the attachment.\n\nThirty-six NFRs that addressed fifty-nine separate recommendations were created during the\nFY 2007 audit of which twenty-five were reissues of FY 2006 findings and eleven were new.\nThree of the thirty-six have been transferred to non-OIT groups, the Office of Finance (OF)\nand the Office of Field Operations (OFO) for remediation, and CBP action plans have been\nprovided for the remaining thirty-three. For the latter thirty-three, CBP actions have been\ntotally completed for nineteen and partially completed for an additional six. The corrective\nactions for thirty five recommendations have been completed, all of which are awaiting\nclosure pending KPMG review. POAMs have been implemented for the NFRs and their\nstatus is provided in the attachment.\n\nIf you have any questions concerning this response, please contact Judy Wright, Office of\nInformation and Technology Audit Liaison, at (703) 286-4155.\n\n\nAttachments:\n\n\n\n\n                                          38\n Information Technology Management Letter for the FY 2007 CBP Financial Statement Audit\n\x0c                                                                                                                        APPENDIX D\n                                          US Customs and Border Protection\n                                       Information Technology Management Letter\n                                                  September 30, 2007\n\n\n                       CBP FY 2007 IT Notices of Finding and Recommendation\n\n                                                                                                     Scheduled        Actual\n                                                             CBP Plans to           New     Repeat                                  Risk\n  NFR #          Condition           Recommendation                                                  Completion     Completion\n                                                             Resolve                Issue   Issue\n                                                                                                       Date            Date\n                                                                                                                                   Rating\n\nCBP-IT-07-   In FY 2007,             1.Develop and           CBP concurs with                 X                     1A-10/2/2007   High\n01           KPMG noted that         implement a             the finding. A                          1B-7/31/2008\n             there has been little   management              report is being\n             change in the status    review process of a     created in       to\n             of this finding.        control override        identify entry\n             CBP is developing       report to facilitate    summaries with\n             a control override      independent review      refunds of duty\n             report which will       of any control          with drawback that\n             record all control      overrides that take     have been\n             overrides that have     place.                  overridden and\n             taken place for a       2.Implement the         paid. The review\n             period of time.         appropriate             of the report\n             Management stated       controls in        so   provides oversight\n             that       will not     that supervisory        of the compliance\n             be implemented in       approval is             with warning\n             FY 2007. We             required before a       messages on\n             concluded that a        control override        returns of refunds\n             control mechanism       can occur.              with possible\n             to prevent              .                       drawback claims.\n             overrides by                                    This oversight will\n             specialists without                             help prevent CBP\n             supervisory                                     from paying duty\n             approval would be                               refunds and also\n             an appropriate                                  paying drawback\n             technical safeguard                             claims of 99%\n             under application                               duty. Supervisors\n             controls.                                       will be required to\n                                                             review the report\n                                                             on a monthly basis\n                                                             to control overrides\n                                                             of the refunds paid\n                                                             that may also have\n                                                             drawback claims.\n                                                             This new report\n                                                             was implemented\n                                                             by 30 Sept 2007.\n                                                                   requirements\n                                                             will include\n                                                             management\n                                                             oversight\n                                                             functionality to\n                                                             require supervisory\n                                                             approval of the\n                                                             override, which\n                                                             prevents payment\n                                                             of duty refunds on\n                                                             entry summaries\n                                                             that have drawback\n                                                             claims.\n\n\n\n\n                                           39\n  Information Technology Management Letter for the FY 2007 CBP Financial Statement Audit\n\x0c                                                                                                                      APPENDIX D\n                                          US Customs and Border Protection\n                                       Information Technology Management Letter\n                                                  September 30, 2007\n\n\n                                                                                                  Scheduled        Actual\n                                                         CBP Plans to            New     Repeat                                Risk\n  NFR #          Condition           Recommendation                                               Completion     Completion\n                                                         Resolve                 Issue   Issue\n                                                                                                    Date            Date\n                                                                                                                              Rating\n\nCBP-IT-07-   This is a system-       Identify all        CBP concurs with                  X                     2A-          Medium\n02           level finding. A        connections in      the finding. The                         2B-3/31/2008   10/09/2007\n             full listing of trade   place with the      Virtual Private\n             partners was never      and account for     Network (VPN)\n             compiled to assess      each connection     solution pilot from\n             the full scope of       with a documented   last year is now\n             the status of           ISA.                operational as of\n             connections to                              April 30, 2006. All\n                     KPMG                                new users are\n             noted that a                                required to use the\n             complete and                                VPN solution. All\n             accurate listing is                         legacy \xe2\x80\x98dial-up\xe2\x80\x99\n             still not                                   connections are\n             maintained. Of                              scheduled for\n             those connections                           migration to the\n             that have been                              VPN solution by\n             accounted for,                              the end of the fiscal\n             KPMG noted that                             year. CBP will\n             only 7% of                                  also continue to\n             identified legacy                           utilize the new\n             connections had an\n                   that has not                                  process on\n             expired. KPMG                               all identified\n             does note that a                            connections. The\n             VPN solution is                             NFR stated, "Of\n             being phased in                             those connections\n             and legacy                                  that have been\n             connections are                             accounted for,\n             being phased out                            KPMG noted that\n             and that significant                        only 7% of\n             progress is being                           identified\n             made to move all                            connections had an\n             existing trade                              ISA that has not\n             partners to the new                         expired. The\n             VPN solution, in                            correct number is\n             which they will                             currently 35%.\n             obtain an ISA                               The VPN\n             documenting the                             migration with the\n             connection.                                 use of the\n                                                         process will result\n                                                         in an efficient,\n                                                         maintainable, and\n                                                         repeatable solution\n                                                         that enhances both\n                                                         e-Government and\n                                                         security.\n\n\n\n\n                                           40\n  Information Technology Management Letter for the FY 2007 CBP Financial Statement Audit\n\x0c                                                                                                                      APPENDIX D\n                                         US Customs and Border Protection\n                                      Information Technology Management Letter\n                                                 September 30, 2007\n\n\n                                                                                                    Scheduled      Actual\n                                                           CBP Plans to            New     Repeat                              Risk\n  NFR #          Condition          Recommendation                                                  Completion   Completion\n                                                           Resolve                 Issue   Issue\n                                                                                                      Date          Date\n                                                                                                                              Rating\n\nCBP-IT-07-   This is a              Continue work          CBP concurs with                  X                   3A-          High\n03           component-level        towards                the finding.                                          10/12/2007\n             finding. CBP does      implementation of      a: CBP is                                             3B-\n             not maintain a         a contractor           continuing to work                                    10/12/2007\n             centralized listing    employee tracking      towards the                                           3C-\n             of contract            system.                implementation of                                     10/12/2007\n             personnel,             1.Deactivate all       a contractor\n             including              systems access of      employee tracking\n             employment status.     terminated             system.\n             The only method        contractors            b/c: CBP is\n             CBP employs to         immediately upon       presently in the\n             track terminated       separation from        process of\n             contractors is the     CBP.                   identifying\n             use of a report of     2.Periodically         requirements for\n             users that had their   distribute a listing   the automated\n             mainframe              of terminated          contractor tracking\n             accounts deleted.      contract personnel     system. The\n             KPMG cannot            to information         primary purpose of\n             acknowledge this       system                 the tracking system\n             list as                administrators so      will be to facilitate\n             representative of      they remove user       deactivation of\n             all terminated         access and             separated\n             contractors, since     periodically assess    contractor system\n             terminated contract    contractor access to   accesses. The\n             personnel may not      CBP systems.           tracking system\n             have                                          will also have the\n             access or their                               capability to create\n             access was not                                a listing that\n             removed after their                           system\n             termination.                                  administrators can\n                                                           use to periodically\n                                                           remove and assess\n                                                           contractor access to\n                                                           CBP systems. It is\n                                                           anticipated that the\n                                                           above actions will\n                                                           occur on or before\n                                                           September 30,\n                                                           2007.\n\n\n\n\n                                           41\n  Information Technology Management Letter for the FY 2007 CBP Financial Statement Audit\n\x0c                                                                                                                    APPENDIX D\n                                        US Customs and Border Protection\n                                     Information Technology Management Letter\n                                                September 30, 2007\n\n\n                                                                                                  Scheduled      Actual\n                                                          CBP Plans to           New     Repeat                                  Risk\n  NFR #          Condition         Recommendation                                                 Completion   Completion\n                                                          Resolve                Issue   Issue\n                                                                                                    Date          Date\n                                                                                                                                Rating\n\nCBP-IT-07-   This is a             KPMG reviewed          CBP concurs with                 X                    9/28/2007        Low\n04           component-level       the POA&M and          the findings.\n             finding. KPMG         believes that work     However as of this\n             confirmed that in     should continue to     date, we do not\n             FY 2007, backup       develop a method       have a method of\n             tapes do not have     for labeling tapes     labeling the tapes\n                                                          that does not\n             external labels       that will not\n                                                          require the use of\n             affixed in order to   interfere with the\n                                                          adhesives. We had\n             indicate the          tape library           acquired the waiver\n             sensitivity of the    machinery.             because of the\n             data contained in                            potential harm to\n             the tapes.                                   our\n             Instead,\n             containers in                                       by affixing\n             which the tapes                              adhesive in close\n             are stored are                               proximity to the\n             labeled with                                 tape media. We\n             media labels.                                will continue to\n             Currently, CBP                               research other\n             has obtained a                               methods and\n             waiver which                                 technologies of\n                                                          tape labeling that\n             waives the\n                                                          do not use\n             responsibility to\n                                                          adhesives.\n             label media\n             directly.\n             However, CBP\n             remains non-\n             compliant and the\n             risk still remains.\nCBP-IT-07-   This is a system-     1.Configure            CBP concurs with                 X                   5A           \xe2\x80\x93   High\n05           level finding.        password policies      the finding.                                         1/8/2008\n             KPMG noted the        to reflect those set   a. CBP is currently                                  5B           \xe2\x80\x93\n             following issues      forth in CBP and       working to                                           1/3/2008\n             related to            DHS guidance.          implement system\n             password              2.Configure            and application\n                                                          software changes\n             parameters:                  password\n                                                          to support DHS\n             -                     policies to reflect\n                                                          password standards\n             minimum               those set forth in     \xe2\x80\x93 targeted\n             password length       CBP and DHS            completion July\n             is set to six         guidance.              2007.\n             characters                                   b. CBP is currently\n             - Password                                   implementing\n             complexity is not\n             set on the                                   with this roll out\n                                                          set to be completed\n                                                          by 12/31/07. As\n             minimum                                      user accounts are\n             password length                              migrated, complex\n             is set to six                                passwords based\n             characters                                   on DHS standards\n                                                          are implemented.\n             - Password\n                                                          Current\n             complexity is not\n                                                          compensating\n             set on the                                   controls that are in\n                                                          place: Secure\n                                                          network and\n\n                                                                        on\n                                                          Primary domain\n                                                          controllers.\n\n\n\n\n                                           42\n  Information Technology Management Letter for the FY 2007 CBP Financial Statement Audit\n\x0c                                                                                                                     APPENDIX D\n                                        US Customs and Border Protection\n                                     Information Technology Management Letter\n                                                September 30, 2007\n\n\n                                                                                                   Scheduled      Actual\n                                                          CBP Plans to            New     Repeat                              Risk\n  NFR #          Condition         Recommendation                                                  Completion   Completion\n                                                          Resolve                 Issue   Issue\n                                                                                                     Date          Date\n                                                                                                                             Rating\n\nCBP-IT-07-   This is a system-     1.Modify CBP\xe2\x80\x99s         CBP concurs with                  X                   6A-          Medium\n06           level finding.        automatic session      the findings.                                         7/11/2007\n             KPMG noted the        disconnection          a. Appendix E, E 5                       6C-          6B-\n             following issues:     policy so that it is   Automatic Session                        3/31/2008    7/11/2007\n             - CBP\xe2\x80\x99s policy        consistent with        Lockout of CBP\n             stated that           DHS policy.            Information\n                                                          Systems Security\n             sessions should       2.Modify CBP\n                                                          Policies and\n             automatically         policy to reflect\n                                                          Procedures\n             disconnect after      that only the          Handbook, CIS HB\n             30 minutes of         password-              1400 05C will be\n             inactivity, which     protected              revised to state that\n             is not consistent     screensaver must       \xe2\x80\x9cany mainframe\n             with DHS policy.      be activated after     session that has\n             - CBP\xe2\x80\x99s policy        5 minutes of           remained idle for at\n             stated that the       inactivity.            least 20 minutes\n             workstation           3.Continue             will disconnect\n             should log off        deployment of          automatically.\xe2\x80\x9d\n             from all                                     b. Section 5.5.1\n             connections after     and Windows            Desktop Computer\n             5 minutes of          2003 in order to       Practices of CBP\n             inactivity.           establish and          Information\n                                                          Systems Security\n             According to          maintain group\n                                                          Policies and\n             applicable            policy and\n                                                          Procedures\n             guidance, all         enforce password-      Handbook, CIS HB\n             system                protected              1400 05C, will be\n             connections do        screensaver            revised to state that\n             not have to be        settings on the        screensavers\n             terminated after 5    workstations.          should activate\n             minutes of                                   after not more than\n             inactivity on the                            5 minutes of\n             workstation.                                 inactivity.\n             - CBP                                        c. CBP will\n             workstations                                 continue the\n             could not enforce                            deployment of\n             the activation of a                          Active Directory\n             password-                                    and Windows 2003\n                                                          Server in order to\n             protected\n                                                          set up group policy\n             screensaver after\n                                                          and enforce\n             5 minutes of                                 password\n             inactivity. The                              protected\n             settings could be                            screensaver\n             disabled or                                  settings. Target\n             changed by                                   due date December\n             individual users.                            31, 2007.\n\n\n\n\n                                           43\n  Information Technology Management Letter for the FY 2007 CBP Financial Statement Audit\n\x0c                                                                                                                        APPENDIX D\n                                        US Customs and Border Protection\n                                     Information Technology Management Letter\n                                                September 30, 2007\n\n\n                                                                                                  Scheduled          Actual\n                                                         CBP Plans to            New     Repeat                                     Risk\n  NFR #          Condition         Recommendation                                                 Completion       Completion\n                                                         Resolve                 Issue   Issue\n                                                                                                    Date              Date\n                                                                                                                                   Rating\n\nCBP-IT-07-   This is a system      CBP management        CBP Concurs with                  X                        10/18/2007     Medium\n07           level finding.        implement             the NFR.\n\n             KPMG\n                 procedures which      Management is \n\n             determined that \n     prevent the           developing two\n                         does      overwrite of          options for\n             not have the          development code      resolving this NFR.\n                                                         Once management\n             ability to prevent    in the\n                                                         selects the option\n             developers from       development\n                                                         and identifies the\n             overwriting           environment.          necessary funding,\n             existing code in                            work can begin\n             the development                             with an estimated\n\n             environment. The \n                          completion date of\n             developer is able                           12/31/07.\n             to extract the code\n             from the\n             development\n             environment and\n             place it into a\n             personal folder on\n             the user\xe2\x80\x99s\n             personal\n             computer. If\n             multiple users are\n             modifying a\n             program in their\n             own personal\n             folders they may\n             be overwriting\n             existing changes.\nCBP-IT-07-   This is a system-     1.The                 CBP concurs with                  X      8A           -                   Medium\n08           level finding. A      system be             the finding. This is                     4/30/2008        8B - 1/3/2008\n             solution has not      configured to         an ongoing project\n             been implemented      maintain audit        that is currently on\n             to maintain           logs and track        hold awaiting\n                    audit logs     security events       funds to purchase\n                                                         equipment. Once\n             for an appropriate    according to CBP\n                                                         the new equipment\n             period of time.       and DHS policies.\n                                                         is in place, then all\n             Audit logs are not                          the servers will be\n             being reviewed        2.\n                                   audit logs be         configured to store\n             for security                                logs centrally.\n             violations for the    reviewed on a\n                                                         Plans and\n                         .         regular bases,\n                                                         procedures will be\n                                   according to CBP      provided to\n                                   and DHS policy,       administrators on\n                                   to detect potential   reviewing log\n                                   security events.      activity.\n                                                         Compensating\n                                                         controls that are\n                                                         currently in place\n                                                         include some audit\n                                                         logs from\n                                                         environment that\n                                                         are currently stored\n                                                         in a central\n                                                         location\n\n\n                                                         that are installed on\n                                                         our primary\n                                                         domain controllers.\n\n\n\n\n                                           44\n  Information Technology Management Letter for the FY 2007 CBP Financial Statement Audit\n\x0c                                                                                                            APPENDIX D\n                                       US Customs and Border Protection\n                                    Information Technology Management Letter\n                                               September 30, 2007\n\n\n                                                                                            Scheduled      Actual\n                                                      CBP Plans to         New     Repeat                              Risk\n  NFR #          Condition        Recommendation                                            Completion   Completion\n                                                      Resolve              Issue   Issue\n                                                                                              Date          Date\n                                                                                                                      Rating\n\nCBP-IT-07-   This is a system-                        CBP concurs with               X                    1/3/2008    High\n09           level       finding. Administrators      the NFR. For \n\n             KPMG noted that \n implement a\n\n             accounts are not \n control to            CBP will change\n             deactivated          automatically       the automatic\n             automatically        disable or remove   disabling of\n                                                      inactive accounts\n             after 30 days of accounts after\n                                                      from 90 days to 30\n             inactivity.          thirty days of\n                                                      days. Target due\n             Accounts         are inactivity in the   date \xe2\x80\x93 8/31/07\n             disabled         for system.\n             inactivity once a\n             month using a\n             manually initiated\n             job.\n\n\n\n\n                                           45\n\n  Information Technology Management Letter for the FY 2007 CBP Financial Statement Audit\n\x0c                                                                                                                   APPENDIX D\n                                        US Customs and Border Protection\n                                     Information Technology Management Letter\n                                                September 30, 2007\n\n\n                                                                                                 Scheduled      Actual\n                                                         CBP Plans to           New     Repeat                              Risk\n  NFR #          Condition         Recommendation                                                Completion   Completion\n                                                         Resolve                Issue   Issue\n                                                                                                   Date          Date\n                                                                                                                           Rating\n\nCBP-IT-07-   This is a             1.Continue to         CBP concurs with                 X                   10A-         Medium\n10           component level       work towards          the finding.                                         11/28/2007\n             finding. KPMG         improving the         a. CBP is                                            10B-\n             reviewed the          recertification       continuing to work                                   11/28/2007\n             procedures and        process.              towards improving                                    10C-\n             evidence of the                             the recertification                                  11/28/2007\n                                   2.Require an          process. All\n             most recent\n                                   access request        corrective actions\n             recertification\n                                   form before           recommended by\n             performed for                               KPMG have been\n             physical access to    access is granted\n                                   to the data center,   implemented to\n             the data center.                            improve the\n             KPMG noted the        as stated in\n                                                         recertification\n             following:            policies and\n                                                         process. CBP\n             - Two people had      procedures.           implemented a new\n             access that was       3.Remove              measure in May\n             not appropriately     terminated            2007 requiring the\n             documented with                             use of the \xe2\x80\x9cTwo\n                                   employees\xe2\x80\x99\n             an approved                                 Person Rule\xe2\x80\x9d to\n                                   access\n             access request                              ensure that\n                                   immediately upon      oversights and\n             form.                 termination of the\n             - One terminated                            human error do not\n                                   employee.             occur.\n             employee retained\n                                                         b. CBP continually\n             access after the\n                                                         uses\n             recertification.\n             - One user was                                               for\n             marked to be                                the requesting and\n             removed as a                                granting of RA\n             result of the                               access. In the\n             recertification but                         instance cited, a\n             was not removed                                      was not\n             appropriately.                              required for the\n                                                         security guard\n                                                         supervisor because\n                                                         he requires access\n                                                         for emergency\n                                                         reasons and cannot\n                                                         be denied\n                                                         Computer Room\n                                                         access. CBP will\n                                                         ensure that a\n                                                                  is\n                                                         submitted to\n                                                         owners in future\n                                                         such cases as a\n                                                         courtesy measure.\n                                                         c. CBP currently\n                                                         has documented\n                                                         procedures within\n                                                         the\n\n\n\n                                                         Handbook, V. 1,\n                                                         dated March 2007,\n                                                         as well as CBP\n                                                         directives that\n                                                         govern the\n                                                         separation of CBP\n                                                         employees and\n                                                         contractors from\n                                                         CBP service.\n\n\n\n\n                                           46\n  Information Technology Management Letter for the FY 2007 CBP Financial Statement Audit\n\x0c                                                                                                                  APPENDIX D\n                                        US Customs and Border Protection\n                                     Information Technology Management Letter\n                                                September 30, 2007\n\n\n                                                                                                Scheduled      Actual\n                                                        CBP Plans to           New     Repeat                              Risk\n  NFR #          Condition         Recommendation                                               Completion   Completion\n                                                        Resolve                Issue   Issue\n                                                                                                  Date          Date\n                                                                                                                          Rating\n\nCBP-IT-07-   This is a system-     1.Maintain           CBP concurs with                 X      11A-                      Medium\n11           level finding.        complete and         this finding. Per                       6/30/2008    11B-\n             CBP System            accurate records     current policy,                                      1/28/2007\n             Security does not     of                   printed reports are\n             consistently retain   logs according to    kept for 90 days.\n             audit logs of         CBP document         The Security\n                                                        Operations\n             powerful              retention policy.\n\n             utilities. KPMG       2.Regularly\n             reviewed the          review the\n                                                logs    team will ensure\n             existence of                               that all audit logs\n                           logs    for suspicious\n                                                        are retained for the\n             for a selection of    activity according\n                                                        90-day period.\n             dates and noted       to CBP policy.       Log Reviews and\n             that logs were not                         the resultant\n             available for a                            summary status\n             series of dates.                           reports have not\n             KPMG noted that                            been done by the\n             within a 90 day                                         ISSO\n             window, complete                           due to the volume\n             logs were                                  of records to\n                                                        review. The\n             available for all\n                                                        team is working on\n             selected dates\n                                                        creating a Web-\n             except one. For                            based application\n             the year long                              that automates the\n             window, 17                                 generation of audit\n             summary reports                            log summary\n             were unavailable.                          reports. This new\n                                                        application will\n                                                        enable the ISSO to\n                                                        quickly generate a\n                                                        Log Review\n                                                        summary report.\n                                                        Anticipated\n                                                        completion date of\n                                                        this new Web-\n                                                        based application is\n                                                        October, 2007.\n                                                        Online audit logs\n                                                        are maintained for\n                                                        a period of seven\n                                                        (7) years per the\n                                                        current Audit\n                                                        Retention Policy,\n                                                        CBP HB 1400-05C\n                                                        of the Security\n                                                        Handbook.\n\n\n\n\n                                           47\n  Information Technology Management Letter for the FY 2007 CBP Financial Statement Audit\n\x0c                                                                                                                  APPENDIX D\n                                        US Customs and Border Protection\n                                     Information Technology Management Letter\n                                                September 30, 2007\n\n\n                                                                                                  Scheduled      Actual\n                                                          CBP Plans to           New     Repeat                              Risk\n  NFR #          Condition         Recommendation                                                 Completion   Completion\n                                                          Resolve                Issue   Issue\n                                                                                                    Date          Date\n                                                                                                                            Rating\n\nCBP-IT-07-   This is a             CBP ensure that        CBP concurs with                 X                   2/19/2008    Medium\n12           component-level                         is   the NFR.\n             finding. As           installed on all       The solution is a\n             identified in prior   workstations           work in progress to\n             year issues           under the control      be implemented by\n             reported in FY        of CBP.                October 1, 2007:\n                                                          - Windows XP\n             2003, FY 2004,\n                                                          standard image\n             FY 2005 and FY\n                                                          incorporates\n             2006, KPMG\n             noted that                                   functionality.\n             improvements are                             - Systems installed\n             still needed in                              with this image\n             CBP\xe2\x80\x99s Incident                               will be patched\n             Handling and                                 according to CBP\n             Response                                     standards.\n             Capability which                              - CBP has an\n             may potentially                              auto-remediation\n             limit CBP\xe2\x80\x99s                                  capability to detect\n             ability to respond                           systems in\n             to incidents in an                           Windows Domains\n             appropriate                                  that are issued\n                                                          dynamic IP\n             manner. In FY\n                                                          addresses.\n             2007, we noted\n                                                           - CBP will detect\n             that                                         non-\n                        will not                                    and will\n             be installed on all                          install\n             workstations for                                        Code\n             the majority of                              based on Domain\n             the fiscal year.                             Member and\n                                                          dynamic (or\n                                                          leased) IP Address\n                                                          Targeted\n                                                          completion\n                                                          October 1, 2007.\n                                                          Continual\n                                                          improvement of\n                                                          this methodology is\n                                                          anticipated as this\n                                                          capability is\n                                                          deployed.\n\n\n\n\n                                           48\n  Information Technology Management Letter for the FY 2007 CBP Financial Statement Audit\n\x0c                                                                                                                APPENDIX D\n                                       US Customs and Border Protection\n                                    Information Technology Management Letter\n                                               September 30, 2007\n\n\n                                                                                                Scheduled      Actual\n                                                        CBP Plans to           New     Repeat                              Risk\n  NFR #          Condition        Recommendation                                                Completion   Completion\n                                                        Resolve                Issue   Issue\n                                                                                                  Date          Date\n                                                                                                                          Rating\n\nCBP-IT-07-   This is a            1.Work to             CBP concurs with        X               13A-                      Medium\n13           component-level      eliminate the use     this finding.                           4/30/2008\n             finding. During      of local              a. Mitigations are                      13B-\n             test work around     workgroups and        currently in place                      3/29/2008\n             the application of   include all CBP       through a group\n             security patches,    workstations in a     policy,\n                                                        workstations in\n             KPMG noted that      CBP administered\n             a complete listing   domain.\n                                                        are required to run\n             of workstations is                         the\n             not maintained by    2.Compile and\n                                  regularly maintain                health"\n             System Security.                           code Additionally,\n             We noted that        a full and accurate\n                                                        the CBP desktop\n             System Security      listing of CBP\n                                                        build contains pre-\n             does not have the    workstations and      staged\n             ability to quickly   use this list to                 health\n             compile a listing    monitor and           code and antivirus\n             of all               maintain patch        software that will\n             workstations         levels for all CBP    check for updates\n             under CBP\xe2\x80\x99s          workstations.         daily.\n             ownership.                                 b. Corrective\n                                                        action will be taken\n                                                        to develop, test,\n                                                        and implement a\n                                                               -integrated\n                                                        system that will\n                                                        determine desktop\n                                                        network\n                                                        identification.\n                                                        Target completion\n                                                        date (for\n                                                        implementation):\n                                                        December 31,\n                                                        2007.\n                                                        The solution\n                                                        requires an updated\n                                                        policy and\n                                                        technical change.\nCBP-IT-07-   This is a            CBP monitor tape      CBP concurs with                 X                   11/28/2007    Low\n14           component-level      withdrawal            the finding and will\n             finding. KPMG        requests that         take the following\n             noted that tape      come from             actions:\n             withdrawal           employees and         1.Create an online\n             requests are not     log these requests    log for\n                                                        unscheduled tape\n             documented.          to ensure that tape\n                                                        recalls from the\n                                  withdrawals are\n                                                        offsite storage\n                                  being completed       facility\n                                  appropriately.\n\n                                                                This\n                                                        process will be\n                                                        completed by July\n                                                        31, 2007.\n                                                        2.\n\n                                                                    will be\n                                                        updated to reflect\n                                                        the new logging\n                                                        procedure. This\n                                                        update will be\n                                                        completed by July\n                                                        31, 2007.\n\n\n\n\n                                           49\n  Information Technology Management Letter for the FY 2007 CBP Financial Statement Audit\n\x0c                                                                                                                  APPENDIX D\n                                        US Customs and Border Protection\n                                     Information Technology Management Letter\n                                                September 30, 2007\n\n\n                                                                                                Scheduled      Actual\n                                                         CBP Plans to          New     Repeat                                  Risk\n  NFR #          Condition         Recommendation                                               Completion   Completion\n                                                         Resolve               Issue   Issue\n                                                                                                  Date          Date\n                                                                                                                              Rating\n\nCBP-IT-07-   This is a system-     2.Change the          CBP concurs with                X                   15A-              High\n15           level finding.        configuration for     this finding. ACS                                   11/28/2007\n             KPMG noted that            to disable       Security will work                                  15B-\n             the        is         accounts after 30     with the                                            11/28/2007\n             currently             days of inactivity.   programmers to\n             configured to                               have the ACS code\n                                   2.Change the job      changes made,\n             disable accounts\n                                   schedule for the      tested, and user-\n             after 90 days of\n                                   deactivation          approved in order\n             inactivity.                                 to comply with the\n             KPMG also noted       procedure to run\n                                   on a daily basis to   30-day inactivity\n             that the job is                             rules per DHS\n             configured to run     minimize the time\n                                                         4300A Sensitive\n             weekly, which         difference\n                                                         Systems Handbook\n             does not comply       between the           v3.3. Estimated\n             with the              inactivity period     target date for\n             requirement for       and deactivation      completion of the\n             automatic             time.                 coding changes is\n             disabling of                                January 31, 2008\n             accounts.\nCBP-IT-07-   This is a system-     1.Require             CBP concurs with                X                   16A          -   Medium\n16           level finding.        supervisory           this finding. After                    16B -        9/6/2007\n             KPMG noted that       approval each         careful review of                      5/15/2008\n             the        has been   time a user           the current\n             adjusted to limit     requires              Emergency Access\n             active emergency      activation of         Policy, CBP has\n                                                         decided to update\n             access to 24 hours    emergency access\n                                                         the language to be\n             after the request.    abilities.\n                                                         compliant with the\n             KPMG notes                                  recommendations.\n             however that the      2.Perform regular\n                                   re-certifications     Once the policy\n             emergency table                             has been updated,\n             is still being used   of the emergency\n                                                         CBP will take steps\n             and that              access table to\n                                                         to implement\n             administrator or      ensure persons        procedures to\n             supervisory           with the              satisfy the\n             approval is not       capability to         recommendations\n             required each         request\n             time emergency        emergency access\n             access is             need to remain on\n             activated.            the emergency\n                                   access table.\n\n\n\n\n                                           50\n  Information Technology Management Letter for the FY 2007 CBP Financial Statement Audit\n\x0c                                                                                                                  APPENDIX D\n                                        US Customs and Border Protection\n                                     Information Technology Management Letter\n                                                September 30, 2007\n\n\n                                                                                              Scheduled          Actual\n                                                       CBP Plans to          New     Repeat                                  Risk\n  NFR #          Condition         Recommendation                                             Completion       Completion\n                                                       Resolve               Issue   Issue\n                                                                                                Date              Date\n                                                                                                                            Rating\n\nCBP-IT-07-   This is a system-     CBP management      As of August 1,                 X                       11/28/2007   Medium\n17           level finding.        implement           2007, the\n             CBP System            policies and                      ISSO\n             Security does not     procedures that     has implemented\n             conduct reviews       have been           policies and\n             of powerful           developed for       procedures that\n                                                       have been\n             system utilities.     monitoring and\n                                                       developed for\n             Specifically, the     reviewing logs of\n                                                       monitoring and\n             utilities             powerful system     reviewing logs of\n                                   utilities for       powerful system\n                                   suspicious          utilities for\n                                   activity.           suspicious\n             are not reviewed                          activities. These\n             by management.                            logs are identified\n             Additionally,                             in NFR-07-11\n             while procedures                          recommendation b.\n             are now in place                          The\n             for review of                             ISSO will continue\n             these logs, these                         to review the logs\n             procedures were                           and report any\n             not in place for                          anomalies as they\n                                                       occur.\n             the majority of\n             the fiscal year.\nCBP-IT-07-   This is a system-     1.Develop formal    CBP will               X               18A          -                Medium\n18           level finding.        procedures for      determine a                            9/1/2008\n             KPMG noted            recertifying        method for                             18B -\n             there are currently         accounts      conducting semi-                       9/1/2008\n             no procedures in      and access to       annual re-\n             place for the         shared data.        certifications of\n             completion of\n                                   2.Perform regular   accounts. This will\n             semi-annual re-\n                                   re-certifications   involve analysis to\n             certifications of                         determine the most\n                                   of\n                                   accounts and        feasible tools and\n             accounts. KPMG                            methods for\n             also notes that a     access to shared\n                                                       identifying the\n             recertification of    data as required\n                                                       accounts, notifying\n                                   by developed        the users, and\n             accounts is not       procedures.         validating that the\n             performed on a                            accounts are still\n             semi-annual basis.                        valid. The analysis\n                                                       will be completed\n                                                       by October 2007\n                                                       with the\n                                                       implementation\n                                                       and first\n                                                       recertification to\n                                                       occur by\n                                                       September 2008.\n\n\n\n\n                                           51\n  Information Technology Management Letter for the FY 2007 CBP Financial Statement Audit\n\x0c                                                                                                                   APPENDIX D\n                                       US Customs and Border Protection\n                                    Information Technology Management Letter\n                                               September 30, 2007\n\n\n                                                                                               Scheduled          Actual\n                                                        CBP Plans to          New     Repeat                                  Risk\n  NFR #          Condition        Recommendation                                               Completion       Completion\n                                                        Resolve               Issue   Issue\n                                                                                                 Date              Date\n                                                                                                                             Rating\n\nCBP-IT-07-   This is a            1.Ensure that         CBP concurs with                X      19A          -                 Low\n19           component level      security              the finding.                           3/31/2008\n             finding. KPMG        awareness             -CBP will work                         19B -\n             noted that the       training is           towards ensuring                       6/1/2008\n             completion of        completed in a        the on-line Virtual\n             security             timely manner by      Learning Center\n                                                        (VLC) is the\n             awareness            all employees\n                                                        primary tool for\n             training is not      with access to\n                                                        completing and\n             appropriately        CBP information       tracking Security\n             tracked at CBP.      systems.              Awareness\n             KPMG noted that                            Training. Issues\n             out of a selection   2.Continue to\n                                                        concerning\n             of 45 CBP            work towards\n                                                        possession of a\n             employees, one       implementing          valid CBP email\n             employee             online training for   address to register\n             maintained access    all CBP personnel     in the VLC should\n             to       without     to facilitate         be resolved when\n             having completed     automated             the system is\n             the refresher        tracking of the       upgraded on\n             security             completion of         8/3/07. This\n             awareness            security              upgrade allows the\n                                  awareness             ability to create\n             training course.\n                                  training.             temporary accounts\n             The individual\n                                                        that will merge\n             completed an                               with the\n             awareness course                           employees\xe2\x80\x99\n             that was not the                           permanent\n             CBP-wide                                   accounts once\n             security                                   established.\n             awareness                                   - A conversion\n             training required                          from Lotus to\n             for all CBP                                Active Directory\n             employees.                                 Exchange,\n                                                        scheduled for\n                                                        completion by\n                                                        12/31/07, should\n                                                        resolve additional\n                                                        VLC account\n                                                        issues.\n\n\n\n\n                                                                     will\n                                                        work with the OTD\n                                                        to establish\n                                                        controls that\n                                                        prevent employees\n                                                        from completing\n                                                        other Security\n                                                        Awareness courses\n                                                        if the basic course\n                                                        date is expired or\n                                                        incomplete.\n\n\n\n\n                                           52\n  Information Technology Management Letter for the FY 2007 CBP Financial Statement Audit\n\x0c                                                                                                                     APPENDIX D\n                                        US Customs and Border Protection\n                                     Information Technology Management Letter\n                                                September 30, 2007\n\n\n                                                                                                 Scheduled          Actual\n                                                          CBP Plans to          New     Repeat                                  Risk\n  NFR #          Condition         Recommendation                                                Completion       Completion\n                                                          Resolve               Issue   Issue\n                                                                                                   Date              Date\n                                                                                                                               Rating\n\nCBP-IT-07-   This is a             1.Automate the         CBP concurs with                X      20A          -                Medium\n20           component level       recertification        the finding.                           4/30/2008\n             finding. KPMG         process in order       -CBP will research                     20B          -\n             noted several         to remove the          ways to improve                        4/30/2008\n             access control        need for after-the-    and automate the                       20C -\n             weaknesses for        fact recertification   current manual                         4/30/2008\n                                                          recertification\n             the       solution    via methods not\n                                                          process. The\n             during test work.     documented in\n                                                          recertification\n             Specifically,         recertification        procedures will be\n             KPMG noted:           procedures             documented and\n             - The        sever    (email, verbal,        updated as needed.\n             does not maintain     etc.)                  -CBP will research\n             information on                               solutions with\n             user account          2.Configure the        vendors and\n             creation and                servers to       network\n             inactivity and        store information      engineering to\n             therefore cannot      about the creation     improve reporting\n             terminate inactive    dates and activity     modules and\n             accounts or           of users in order      configurations to\n             provide audit         to be able to          the       server to\n             information           properly identify      store and archive\n                                   inactive accounts      data about the\n             regarding the\n                                   and allow for          users. Procedures\n             creation of\n                                   their deletion.        for deactivating\n             accounts,                                    accounts at the end\n             - Accounts that       3.Improve the          of the\n             did not recertify     process of             recertification\n             during the            deactivating           process will be\n             recertification       accounts at the        improved.\n             time period or        end of the             -Pending an\n             were marked for       recertification        automated solution,\n             deletion during       period and ensure      the following\n             the recertification                          mitigation is being\n                                   that all accounts\n             period remained                              pursued to improve\n                                   that should be\n             active on the                                the\n                                   removed from the       recertification\n             system after the      system are\n             accounts should                              process by making\n                                   removed.               improvements to\n             have been\n                                                          the Access Request\n             deactivated by\n                                                          System.\n             administrators,\n             - Procedures for\n             recertifying\n             accounts were not\n             fully implemented\n             and accounts were\n             recertified by\n             means beyond\n             those identified in\n             documented\n             procedures.\n\n\n\n\n                                           53\n  Information Technology Management Letter for the FY 2007 CBP Financial Statement Audit\n\x0c                                                                                                                 APPENDIX D\n                                       US Customs and Border Protection\n                                    Information Technology Management Letter\n                                               September 30, 2007\n\n\n                                                                                               Scheduled      Actual\n                                                      CBP Plans to            New     Repeat                              Risk\n  NFR #          Condition        Recommendation                                               Completion   Completion\n                                                      Resolve                 Issue   Issue\n                                                                                                 Date          Date\n                                                                                                                         Rating\n\nCBP-IT-07-   This is a system     CBP formalize       CBP developed                     X                   21A-         Medium\n21           level finding.       procedures for      and approved the                                      1/15/2008\n             KPMG noted that      reviewing these           Security                                        21B-\n             when changes to a    access change       Audit Log                                             1/25/2008\n             user\xe2\x80\x99s access are    logs and that       Procedure (6-21-\n             performed in         review of these     2007). The\n                                                      ISSO reviews the\n                        the log   logs is\n                                                      logs on a periodic\n             of these events is   implemented on a\n                                                      basis (4-5 times per\n             not regularly        periodic basis as   week) to determine\n             reviewed by          set forth in        potential security\n             personnel            criteria.           violations and\n             independent from                         notifies the\n             those individuals                        of any anomalies\n             who made the                             detected.\n             changes.                                 For       , a process\n                                                      is in place, and\n                                                      reviews have\n                                                      begun. Schedules\n                                                      for reviews are\n                                                      being developed.\n\n\n\n\n                                           54\n  Information Technology Management Letter for the FY 2007 CBP Financial Statement Audit\n\x0c                                                                                                            APPENDIX D\n                                       US Customs and Border Protection\n                                    Information Technology Management Letter\n                                               September 30, 2007\n\n\n                                                                                            Scheduled      Actual\n                                                      CBP Plans to         New     Repeat                              Risk\n  NFR #          Condition        Recommendation                                            Completion   Completion\n                                                      Resolve              Issue   Issue\n                                                                                              Date          Date\n                                                                                                                      Rating\n\nCBP-IT-07-   This is a            CBP implement       CBP concurs with               X                   10/4/2007     Low\n22           component level      procedures in OIT   the NFR. The\n             finding. KPMG        divisions to\n             noted that           perform a review\n             documents            of all\n             identified in FY     documentation to\n             2006 as not          update,\n                                                             document\n             having               consolidate and\n                                                      cited in this NFR\n             documented           approve the         has been corrected\n             approval or          documented          and appropriate\n             approval dates       procedures in use   approval\n             still lack these     by operational      information\n             required             personnel.          obtained. The\n             approvals and                            other documents\n             approval or                              cited in this NFR\n             effective date.                          will be corrected\n             Specifically,                            and appropriate\n             KPMG noted that:                         approval\n             -                                        information\n                                                      obtained by\n                                                      September 30,\n                                                      2007. CBP will\n             \xe2\x80\x93 No approval for\n                                                      promulgate\n             majority of fiscal\n                                                      established formal\n             year                                     approval processes\n             - Configuration                          and requirements\n             Management                               throughout the OIT\n             Code Migration                           Program Offices\n             Procedures for                           and Divisions by\n                  \xe2\x80\x93 No                                September 30,\n             approval or                              2007.\n             effective date\n             - Configuration\n             Management\n             Code Migration\n             Procedures for\n                   \xe2\x80\x93 No\n             approval date or\n             effective date\n             - Production\n             Management\n             Team Procedures\n             \xe2\x80\x93 No approval, no\n             change history\n             -\n             Operations:\n             Standard\n             Operating\n             Procedures \xe2\x80\x93 No\n             approval\n\n\n\n\n                                           55\n  Information Technology Management Letter for the FY 2007 CBP Financial Statement Audit\n\x0c                                                                                                               APPENDIX D\n                                        US Customs and Border Protection\n                                     Information Technology Management Letter\n                                                September 30, 2007\n\n\n                                                                                               Scheduled      Actual\n                                                        CBP Plans to          New     Repeat                              Risk\n  NFR #          Condition         Recommendation                                              Completion   Completion\n                                                        Resolve               Issue   Issue\n                                                                                                 Date          Date\n                                                                                                                         Rating\n\nCBP-IT-07-   3 out of 5 selected   CBP/OIT              CBP concurs with       X                            1/28/2008    Medium\n23                 Emergency       management           the finding but\n             Changes did not       consistently apply   does not agree to\n             have post-            emergency            the\n             implementation        change               recommendation.\n             Executive             management post-     Emergency\n                                                        changes in\n             Approval as           implementation\n                                                        continue to be\n             required by the       procedures to all\n                                                        made according to\n             new OIT                     emergency      OIT procedures\n             emergency             changes.             that require\n             change                Furthermore,         executive\n             procedures.           post-                management\n                                   implementation       approval prior to\n                                   procedures should    implementation\n                                   be regularly         rather than after.\n                                   reviewed and         Over the past six\n                                   provide regular      months, OIT has\n                                   feedback to          conducted a\n                                   change               thorough review of\n                                   administrators to    its change\n                                   determine any        management\n                                                        processes,\n                                   post-\n                                                        including\n                                   implementation\n                                                        emergency\n                                   steps that may       changes. This\n                                   have been missed     review resulted in\n                                   due to the           the new OIT\n                                   expeditious nature   Change\n                                   of emergency         Management\n                                   changes.             Handbook (OIT\n                                                        CM 2.17), which\n                                                        became effective in\n                                                        August, 2007.\nCBP-IT-07-   The        re-        1.Apply              Transferred                     X      12/11/2008                Medium\n24           certification         procedures           remediation to OF.\n             process has           outlined in the\n             several               newly distributed\n             weaknesses. Of        memorandum\n             the 45 selected       from Office of\n             ports, none had       Field Operations\n             formally              dated April 27,\n             documented            2007\n             communication         2.Consistently\n             between the           document results\n             responsible DFO       of re-\n             and OFO               certifications at\n             headquarters as       the port level and\n             directed by the       maintain\n             FY 2006               documentation\n             memorandum put\n             out by Office of\n             Finance\n\n\n\n\n                                           56\n  Information Technology Management Letter for the FY 2007 CBP Financial Statement Audit\n\x0c                                                                                                                  APPENDIX D\n                                       US Customs and Border Protection\n                                    Information Technology Management Letter\n                                               September 30, 2007\n\n\n                                                                                                Scheduled      Actual\n                                                        CBP Plans to           New     Repeat                                  Risk\n  NFR #          Condition        Recommendation                                                Completion   Completion\n                                                        Resolve                Issue   Issue\n                                                                                                  Date          Date\n                                                                                                                              Rating\n\nCBP-IT-07-   This is a system-    1.Formally            CBP has appointed       X                            25A          -    Low\n25           level finding.       document the          a full-time ISSO                                     9/6/2007\n             KPMG noted that      appointment of        for the                                              25B          -\n             the                  the                   to perform the                                       9/6/2007\n             does not have an     Interim ISSO with     duties stated in the\n             ISSO, but has        a formal              designation letter\n                                                        in accordance with\n             been assigned an     designation letter,\n                                                        information\n             interim ISSO.        and\n                                                        technology security\n             KPMG noted that      2.Appoint a full      regulations and\n             the interim ISSO     time ISSO for the     requirements. The\n             is not formally                  and       audit\n             documented as        document that         recommended\n             the                  appointment with      actions have been\n             ISSO.                a formal              completed.\n                                  designation letter.\nCBP-IT-07-   This is a system-    CBP perform           CBP has already         X                             1/25/2008       Medium\n26           level finding.       periodic review of    developed and\n             KPMG noted that      access violation      approved the\n             evidence of the      logs.                                  Log\n             review of these                            Procedure. The\n             violation logs for                                      is\n                                                        reviewing the\n             6 of 25 dates were\n                                                        access change logs\n             not available for\n                                                        on a periodic basis\n             review.                                    (4-5 times per\n                                                        week) to determine\n                                                        potential security\n                                                        violations. The\n                                                        reports of the\n                                                        access change logs\n                                                        will be retained by\n                                                        the              for\n                                                        a period of one\n                                                        year. In addition to\n                                                        immediately\n                                                        notifying the\n                                                        CSIRC of any\n                                                        confirmed security\n                                                        anomalies, the\n                                                                     will\n                                                        also provide to the\n                                                        ISSM a monthly\n                                                        report of all\n                                                        security anomalies\n                                                        identified and\n                                                        researched.\n\n\n\n\n                                           57\n  Information Technology Management Letter for the FY 2007 CBP Financial Statement Audit\n\x0c                                                                                                                 APPENDIX D\n                                       US Customs and Border Protection\n                                    Information Technology Management Letter\n                                               September 30, 2007\n\n\n                                                                                               Scheduled      Actual\n                                                       CBP Plans to           New     Repeat                              Risk\n  NFR #          Condition        Recommendation                                               Completion   Completion\n                                                       Resolve                Issue   Issue\n                                                                                                 Date          Date\n                                                                                                                         Rating\n\nCBP-IT-07-   This is a system-    1.Develop and        CBP concurs with        X               27A-                       High\n27           level finding.       implement            this finding. In                        5/15/2008\n             KPMG noted that      procedures to        response to a                           27B-\n             authorizations are   restrict access to   related NFR (CBP-                       5/15/2008\n             not being                                 IT-07-16), CBP\n             maintained for       administrative       has already agreed\n                                                       to revise the\n             personnel that       capabilities, and\n                                                       applicable policy.\n             have                 2.Require\n                                                       With the revised\n             administrator        documented           policy, CBP will\n             access to            authorization        also develop new\n                                  requests and         processes to\n                                  approval for each    control and\n                                  person requiring     document access\n                                  access to the        for each individual\n                                  mainframe            requiring\n                                  administrative       mainframe\n                                  capabilities.        administrative\n                                                       capabilities.\n                                                       The target\n                                                       completion date for\n                                                       the policy revision\n                                                       was set as\n                                                       September 30,\n                                                       2007. The target\n                                                       date for the new\n                                                       process and\n                                                       procedures is\n                                                       December 31,\n                                                       2007.\nCBP-IT-07-   This is a system-    1.Develop and        CBP will                X                            28A-         Medium\n28           level finding.       implement access     implement a                                          10/25/2007\n             KPMG noted that      policies and                       that                                   28B-\n             access policies      procedures for the   the Government                                       10/25/2007\n             and procedures                   to       Supervisor will fill\n             have not been        document formal      out and sign to get\n                                                       a new\n             formally             methods for\n                                                                or change\n             documented for       requesting and\n                                                       an active account.\n             the            .     approving access     The\n             KPMG also noted      for the              implementation of\n             that access                               the form will be by\n             authorization        2.Require            September 15,\n             forms were not       documented           2007.\n             completed for 27     authorization\n             out of 45 accounts   requests and\n             created in FY        approval for each\n             2007.                person requiring\n                                  access to the\n\n\n\n\n                                           58\n  Information Technology Management Letter for the FY 2007 CBP Financial Statement Audit\n\x0c                                                                                                               APPENDIX D\n                                       US Customs and Border Protection\n                                    Information Technology Management Letter\n                                               September 30, 2007\n\n\n                                                                                              Scheduled       Actual\n                                                      CBP Plans to           New     Repeat                               Risk\n  NFR #          Condition        Recommendation                                              Completion    Completion\n                                                      Resolve                Issue   Issue\n                                                                                                Date           Date\n                                                                                                                         Rating\n\nCBP-IT-07-   This is a            Implement the       Transferred                      X       12/11/2008                Medium\n29           component-level      recently            remediation to OF.\n             finding. KPMG        developed\n             noted that           procedures for\n             procedures have      completion of the\n             been developed       termination forms\n             and a new            and notify System\n             termination form     Security for all\n             (CF-241) has         terminating\n             been developed       employees so that\n             for use in           systems access\n             terminating          can be removed\n             employees.           appropriately.\n             KPMG notes that\n             while these\n             procedures\n             address the\n             submission of the\n             form to System\n             Security and\n             require\n             notification of\n             removal of system\n             access from\n             System Security,\n             the new\n             procedures were\n             developed and\n             activated in June,\n             2007. The\n             procedures are\n             currently not\n             implemented.\nCBP-IT-07-   This is a system-    1.Work with other   CBP concurs with        X               30A-                        High\n30           level finding.       US CBP Offices      this finding. The                       4/15/2008\n             KPMG noted that      and within OIT to   Office of Finance                       30B-\n             multiple             receive notice of   published a new                         4/15/2008\n             terminated           termination of      directive for the\n             employees            employees in a      Separation\n                                                      Procedures for\n             retained active      timely manner so\n                                                      Government\n             accounts on the      that accounts can\n                                                      Employees. The\n                  . They were     be deactivated on   solution to this\n             disabled as a        the departure of    finding will require\n             result of accounts   the employee.       all CBP\n             being inactive for   2.Terminate         applications to\n             90 days.             accounts for        interface with the\n             Therefore, these     terminated\n             accounts were        employees in a      program in order to\n             active 90 days       timely manner.      deactivate accounts\n             after the                                automatically.\n             employee                                 Beginning in\n             terminated from                          November 2007\n             US CBP.                                  OIT will begin\n                                                      coordinating with\n                                                      other CBP offices\n                                                      to develop a\n                                                      coordinated plan of\n                                                      action to address\n                                                      this finding\n\n\n\n\n                                           59\n  Information Technology Management Letter for the FY 2007 CBP Financial Statement Audit\n\x0c                                                                                                               APPENDIX D\n                                       US Customs and Border Protection\n                                    Information Technology Management Letter\n                                               September 30, 2007\n\n\n                                                                                               Scheduled      Actual\n                                                        CBP Plans to          New     Repeat                              Risk\n  NFR #          Condition        Recommendation                                               Completion   Completion\n                                                        Resolve               Issue   Issue\n                                                                                                 Date          Date\n                                                                                                                         Rating\n\nCBP-IT-07-   KPMG noted that      1.Apply               Transferred                     X      12/11/2008                Medium\n31           12 of the 45         procedures            remediation to OF.\n             selected             outlined in the\n             ports/headquarters   newly distributed\n             did not have self    memorandum\n             inspection           from Office of\n             worksheets           Field Operations\n             completed.           2.Consistently\n             Accordingly,         document results\n             KPMG was not         of re-\n             able to determine    certifications at\n             whether specific     the port level.\n                   high risk\n             combinations of\n             roles were\n             performed at\n             these\n             ports/headquarters\nCBP-IT-07-   This is a new        CBP management        Project teams will     X                            12/5/2007    Medium\n32           finding for FY       and                   ensure that test\n             2007. KPMG           ensure that all       documentation is\n             selected 20 out of   program offices       attached to all\n             201 changes and      appropriately         change requests\n             noted the            document all test     (Ascendant OMS\n                                                        of specific types),\n             following:           data, transactions,\n                                                        and the test\n             - 9 of the 20        and program\n                                                        documentation will\n             changes did not      change results        record the\n             have formal test                           reviewer\xe2\x80\x99s name as\n             plans or                                   well as the review\n             documented                                 date. The\n             results                                    Operational\n             - None of the                              Maintenance\n             changes showed                             Procedure will be\n             evidence of                                edited accordingly,\n             review of the                              and enacted\n             documented test                            October 1st 2007.\n             results\n\n\n\n\n                                           60\n  Information Technology Management Letter for the FY 2007 CBP Financial Statement Audit\n\x0c                                                                                                                APPENDIX D\n                                       US Customs and Border Protection\n                                    Information Technology Management Letter\n                                               September 30, 2007\n\n\n                                                                                                Scheduled      Actual\n                                                        CBP Plans to           New     Repeat                              Risk\n  NFR #          Condition        Recommendation                                                Completion   Completion\n                                                        Resolve                Issue   Issue\n                                                                                                  Date          Date\n                                                                                                                          Rating\n\nCBP-IT-07-   This is a new        CBP management        CBP concurs with        X               3/14/2008                 Medium\n33           finding for FY       and the OIT CCB       the finding.\n             2007. KPMG           ensure that all       Management will\n             selected 15 of 90    program offices       take further steps\n                   changes and    appropriately         to monitor the\n             noted the            document all test     quality of changes\n                                                        to      , including\n             following:           data, transactions,\n                                                        the review of test\n             - 3 of the 15        and program\n                                                        documentation and\n             selected changes     change results to     test results. The\n             did not have         monitor the           OIT CM 2.01\n             formally             quality of            Policy dated June\n             documented test      program changes.      12, 2006 has\n             plans or test                              implemented the\n             results.                                   requirement that all\n             - None of the                              project\n             changes showed                             documentation be\n             evidence of                                stored in the OIT\n             review of the test                         Configuration\n             results                                    Management (CM)\n             documented.                                tool, Dimensions.\n                                                        Also, Quality\n                                                        Assurance review\n                                                        will be completed\n                                                        to track metrics\n                                                        and recommend\n                                                        additional\n                                                        improvements to\n                                                        the process if\n                                                        needed.\n\n\n\n\n                                           61\n  Information Technology Management Letter for the FY 2007 CBP Financial Statement Audit\n\x0c                                                                                                                APPENDIX D\n                                        US Customs and Border Protection\n                                     Information Technology Management Letter\n                                                September 30, 2007\n\n\n                                                                                                Scheduled      Actual\n                                                       CBP Plans to            New     Repeat                              Risk\n  NFR #          Condition         Recommendation                                               Completion   Completion\n                                                       Resolve                 Issue   Issue\n                                                                                                  Date          Date\n                                                                                                                          Rating\n\nCBP-IT-07-   This is a             CBP ensure that     CBP concurs with         X               5/15/2008                 High\n34           component-level       antivirus           the finding and has\n             finding. KPMG         protection is       already begun\n             noted that virus      installed on all    remediation\n             protection is not     workstations        activities. Only\n             installed on all      under the control   1,557 out of 42,429\n                                                       workstations are\n             CBP                   of CBP.\n                                                       missing virus\n             workstations.\n                                                       protection\n             Specifically,                             software.\n             KPMG noted at                             CBP will continue\n             the time of testing                       to utilize the\n             that                                      reporting function\n             approximately                             of      , which has\n             6,000 of CBP\xe2\x80\x99s                            the capability of\n             approximate                               searching for virus\n             38,000                                    definition files that\n             workstations do                           are more than 5\n             not have antivirus                        updates behind and\n             protection                                to search for\n             installed. Since                          workstations that\n             the initial testing                       do not have the\n                                                       agent installed\n             was performed,\n                                                       (\xe2\x80\x9cUninstalled\xe2\x80\x9d\n             KPMG has noted\n                                                       status). A project\n             that immediate                            is being undertaken\n             remediation has                           by the DHS\n             begun and as of\n             September 28,\n             2007                                              to ensure\n             improvements                              that rogue systems\n             have been made                            are identified and\n             but 1,557 out of                          workstations that\n             42,429                                    do not have the\n             workstations still                              agent installed\n             are missing virus                         will be forced to do\n             protection                                so.\n             software.                                 Also, with the new\n                                                       rollout of      4.0,\n                                                       the\n                                                                  will\n                                                       require that any\n                                                       workstation\n                                                       authenticating to\n                                                       the domain will\n                                                       automatically have\n                                                       the       agent\n                                                       installed.\n                                                       Estimated\n                                                       Completion:\n                                                       12/31/2007\n\n\n\n\n                                           62\n  Information Technology Management Letter for the FY 2007 CBP Financial Statement Audit\n\x0c                                                                                                              APPENDIX D\n                                        US Customs and Border Protection\n                                     Information Technology Management Letter\n                                                September 30, 2007\n\n\n                                                                                              Scheduled      Actual\n                                                      CBP Plans to           New     Repeat                              Risk\n  NFR #          Condition         Recommendation                                             Completion   Completion\n                                                      Resolve                Issue   Issue\n                                                                                                Date          Date\n                                                                                                                        Rating\n\nCBP-IT-07-   During our            The                CBP concurs with                 X                   2/13/2008    High\n35           technical testing,    recommendations    the finding.\n             eighteen              are listed in an   Anticipated\n             configuration         enclosed table     completion of the\n             management                               corrective action is\n             exceptions were                          Dec 31, 2007.\n             identified on\n\n\n\n\n             Controllers and\n             hosts supporting\n             the\n             application.\n             These\n             vulnerabilities are\n             listed in an\n             enclosed table.\nCBP-IT-07-   During our            The                CBP concurs with                 X                   2/13/2008    High\n36           technical testing,    recommendations    the finding.\n             thirty-seven patch    are listed in an   Anticipated\n             management            enclosed table.    completion of the\n             exceptions were                          corrective action is\n             identified                               Dec 31, 2007.\n\n\n\n\n             Controllers and\n             hosts supporting\n             the\n             application.\n             These\n             vulnerabilities are\n             listed in an\n             enclosed table.\n\n\n\n\n                                           63\n  Information Technology Management Letter for the FY 2007 CBP Financial Statement Audit\n\x0c\x0cAdditional Information and Copies\n\nTo obtain additional copies of this report, call the Office of Inspector General\n(OIG) at (202) 254-4199, fax your request to (202) 254-4305, or visit the OIG web\nsite at www.dhs.gov/oig.\n\n\nOIG Hotline\nTo report alleged fraud, waste, abuse or mismanagement, or any other kind of\ncriminal or noncriminal misconduct relative to department programs or\noperations:\n\n    \xe2\x80\xa2    Call our Hotline at 1-800-323-8603;\n    \xe2\x80\xa2    Fax the complaint directly to us at (202) 254-4292;\n    \xe2\x80\xa2    Email us at DHSOIGHOTLINE@dhs.gov; or\n    \xe2\x80\xa2\t   Write to us at:\n           DHS Office of Inspector General/MAIL STOP 2600, Attention:\n           Office of Investigations - Hotline, 245 Murray Drive, SW, Building 410,\n           Washington, DC 20528.\n\nThe OIG seeks to protect the identity of each writer and caller.\n\x0c'